Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.
Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.
Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again. (You can see some of his testing in this video.)
Sarahah did not initially respond to requests for comment. After this piece was published, the app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends’ feature.” He later told The Intercept the feature was stymied by “technical issues” and that a partner, who he has since stopped working with, was supposed to remove it from the app but “missed that.” He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.
Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when apps, like Sarahah, are free. He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app. “It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said. “It’s not just, ‘Oh, this company can see my information and I’m OK with that.’ You now have to think about the security of that company.”
When asked about Sarahah, Porter added, “I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”
Will Strafach, president of Sudo Security Group Inc., pointed out that security researchers and app reviewers can only see what is happening on the device itself, rather than server side, making it impossible for anyone but the developer to know if the data is being stored or just used, and if stored, how well it is protected. “Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data,” he said. “Additionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”
But Julian thinks that Sarahah uploading contacts is disconcerting, especially given the app’s popularity, and especially since most users don’t expect it to occur. On iOS, the app says, “The app needs to access your contacts to show you who has an account in Sarahah,” and allows the user to choose between “OK” and “Don’t Allow.” On Android, the app in some cases requests access to contacts without giving any reason for needing such access, and in other cases makes no such request. On neither operating system does it mention uploading data to a server. “The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.
Despite claiming on iOS to use contact data to show the user who in their address book is on Sarahah, the app does not actually do so, Julian said, judging from his testing. If Sarahah did ever begin showing which of your contacts are on its network, as advertised, this would lead to a new problem: It would make it far easier to deduce who is sending messages. For now, it’s not clear how the data is being used.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said. Sarahah is among the top five most downloaded apps in Google’s Play Store for Android, according to analytics firm App Annie.
It’s not entirely clear what Sarahah uses uploaded contact lists for, although the app’s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it’s part of bulk data used for statistics and research.
Newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. However, all but the most expensive Android phones are notoriously slow to receive updates like Marshmallow, and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).
Other apps that send users’ contacts to external servers are more forthright in their privacy policies. For example, the so-called ephemeral messaging app, Snapchat, which settled FTC charges in 2014 that its promises of disappearing messages were false, and which also transmitted user location and collected user address books without notice or consent, now has a robust privacy policy which states that the app “may — with your consent — collect information from your device’s phonebook,” and that if you allow this, and you’re in another user’s contacts, that it may combine information collected from their phone book with what they have collected about you. The prompt to add contacts states: “Find your friends. See which of your contacts are on Snapchat!” and the popup on iOS clearly says that the contacts will be uploaded to Snapchat’s servers “so you and others can find friends, and to improve your experience.”
Sarahah appears to be a much smaller operation than Snapchat. It was created in Saudi Arabia by Tawfiq, according to news accounts. It is just the latest in a series of apps pairing promises of anonymity with troubling privacy practices. Another was Secret, now defunct, which was supposed to traffic in anonymized messages from friends and mutual friends. In 2014, security researchers were able to decloak posters on the app by tricking the app’s contact-matching system.
A silver lining for Sarahah users concerned about privacy is that they don’t need to download the service’s app. It’s possible to send messages on Sarahah and register to receive messages on Sarahah, via a website. And that site doesn’t ask for or access contacts from any of your digital address books.
Still, if Sarahah intends to continue scooping up user’s contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going — and to provide them with a legitimate reason as to why the app actually needs it.
Top photo: A photo of Sarahah, a new app that lets people anonymously critique one another.
Update: Aug. 27, 2017, 1:35 p.m.
This piece was updated to include a new estimate of Android Sarahah installs from Julian.
Update: Aug. 27, 2017, 9:45 p.m.
This piece was updated to include a response from the creator of Sarahah.
ang ganda mo
Loading……
Putaang Ina mo
Peenoise lul
Sarahah is not free software as is stated in the article. If it were, this behaviour would be known at the outset, or would probably not be in the software at all.
I do not understand why people keep on using proprietary software. It is irresponsible.
Sarahah is not free software as is stated in the article. If it were, this behaviour would be known at the outset, or would probably not be in the software at all.
Essentially FU and the app store that didn’t vet your product.
When HuffPo demanded contacts just to be able to comment, I wiped out my email contacts completely and signed in. I later utterly stopped using HuffPo and have not been back in about five years.
Whatsapp has been doing this from the beginning. i do not see any articles about them!
Ditto on the LastwPassapp!! Put all your passwords onveniently in one place. Even if you change them later, they have your thought patterns and preferred structures! Hahahaha ;-)
Anybody who does not use a pseudorandom algorithm for password generation is a fool and deserves to be hacked. There are plenty of open source applications out there, or if you are completely paranoid, you can write your own. I recommend Python because of its superior, Mersenne Twister-based pseudorandom number generator.
The fault lies with Google and Apple, who don’t prevent apps from going rogue (Whatapp is another offender). Their appstore – police appears to exist only for the benefit of ensuring steady profits for Apple and Google, not to protect their customers.
If Apple and Google wanted, they could do it at no cost to them – all it takes is a line of smallprint requiring compliance with basic data protection and steep penalties for offenders.
Hello Americans! We are your friendly and trustworthy wallstreet buddies. We are here to make your life easier better and a whole lot more fun. And boy do we have the deals for you. Not only do you get fast easy and cheap, we will offer you coupon savings discounts and everything you need. YOU CAN TRUST US. Why? Because we said so!
And as a BONUS for reading this message, we will loan you more money for the higher prices you are going to pay for college and homes!
ps. That documentary on netflix called UNACKNOWLEDGED, dont believe a word of it.
It’s being used to make money by reselling the data.
What other use would they have since, as the researcher pointed out, it isn’t used to show you who is on the network.
this app is very bad idea – a loudspeaker for trolls. Imagine your ex (lets call her Sarah) who has some unresolved emotional issues ever since you moved away sending you anonymous honest feedback at a rate 15 messages a day, then proceeding to write similar disturbed messages to your friends and coworkers and include details and phrases that make them think that the anonymous crap could have been written by you… And this would be quite likely scenario when the app did just what it was supposed to, without selling your contact list to the identity thieves and foreign government spooks
Say you want to use some of the benefits of smartphones and are willing and able to protect yourself as much as possible (latest LineageOS without Google services, Xprivacy granular behavioral firewall, VPN, Blackphone, encryption, zero cloud storage, etc. etc.). Even then, your clueless relatives and “friends,” who are unable or unwilling to jump through such hoops (typically because they “have nothing to hide”) will leak your contact and any other info you exchange with them (voice, text, photos, etc.) from their unsecured factory-sabotaged devices. Much of that applies to non-smartphones as well. Alternatively, you may have neither a phone nor social media accounts, but similarly idiotic relatives and “friends” (who at that point might consider you a weirdo) will photograph or film you, then upload/share the media and happily tag you in it, feeding facebook’s (and thereby the government’s) facial recognition database. So essentially, if you want to have a social life, as in being able to socialize with averagely clueless humans, or if you have at least family relatives, you are already packaged and sold–or rather, betrayed by those closest to you. That is perhaps the most diabolical aspect of this technology.
When someone – friend or not – points a smartphone at me what they get is a photographic superposition of my face and my hand. When I take pictures of people I ask their permission. No permission = no photograph.
The thing that gets me the most about ‘social’ media is how fundamentally inconsiderate its users tend to be. I’m not talking about everyone, of course, but it seems that common courtesy and manners have gone out the window.
I call it a “smartass” phone. On my Android there is no way to turn off auto correct which has resulted in some befuddling texts and extra ones to correct those. I have downloaded NO apps because I read the the terms and conditions prior to doing so and realized early on just what spy devices these smartass phones are. Do we really need every shiny new object that comes along?
“without giving any need”
I guess that should that be: without giving any reason.
“…president of Sudo Security Group, Inc….”
“Sudo”? Pronounced as in ‘pseudo’? That sounds like a marketing mistake or perhaps just a Freudian slip?
No, just a name that’s maybe a bit too clever.
Sudo, pronounced “soo doo” is a UNIX program that allows super user privileges on the fly.
My guess is it (Sarahah) is a means to gather intel on an unspecified population of people. What they want primarily is the address book and email contacts. The sent messages is just icing on the cake.
It’s all about the meta data, baby.
This is very similar to Linkedin. Here, if you say yes to one prompt, Linkedin will harvest your address book and send SPAM to everyone in it.
There is not more privacy, live accordingly. Show “Them” what you want Them to see. For now your deeper thoughts are still your own, but “They” can deduce your general line of thinking. They fear the silent rage of the majority much more than vocal anger of minority left or right extremes, as well They should. When They screw it up enough “It” will stop.
Anyone who’s done any type of covert communication surveillance knows that if they weren’t horrified by what was being said in public, they’re distraught by what’s said & thought in “private”. The more you find out about what the “majority” really think the more you NEED to keep listening to learn more. Sound familiar ?
Yes “They” hear much general discontent and anger both public and “private?”. What they real do not see is the true danger to them, their own policies that will in time create a screw up so major it can not be bailed-out or concealed. Blame will be placed and change for better or worse will come.
The ruling class for all their surveillance/information and analysis can never predict their own failings and failure. They are so into themselves and short term profit they can not steward a viable stable future. They never take the high road just the level way.
Sarahah is not the only company that does this. Virtually every app and most certainly Verizon wireless’s backup service not only takes your contact list from your phone, but it is shared, or sold, to LinkedIn.
I have seen my personal data used this way. When I enter a person’s contact information into my phone, LinkedIn within 48 hours will be suggesting that person’s profile to me to connect with.
Companies share your data through third party agreements. It’s called “piggybacking”.
https://www.economist.com/news/special-report/21615871-everything-people-do-online-avidly-followed-advertisers-and-third-party
Shame. I installed LinkedIn on my phone and tablet to both connect with people (to avoid relatives spying on the Facebook page they set up for me and post things on without my consent), and to find a job.
There actually is a silver bullet for this: don’t use a “smart phone”. I mean, in all seriousness, just how freaking smart is it to pay $1000 for a phone when you can buy a mobile phone off the shelf for $10? How smart is it to access internet via a device that is specifically designed to uniquely identify you, to be subject to the control of a single corporation, and to be subject to instant billing by whoever can claim a right to do so?
It is true that some developers, trying to be part of a certain “in crowd”, or claiming a laziness that seems oddly permanent for such hastily built software, make ‘apps’ that only work for smart phones, sold under the all-seeing eye of ‘app stores’ that will instantly censor any politically incorrect or excessively entertaining product, which are blind to blatant privacy issues like this. I would say that the availability of an app only on a smart phone is conclusive proof that it is too dedicated to spying, prying, and scamming to be safe to run on a smart phone.
There are a lot of technologies that people keep dreaming will work someday, which never do. Half a century of teleprompters and not one politician can match Lincoln at speechmaking. Half a century of electronic commerce and you still groan when you see someone reach for their stupid little card and try to get checked out at a grocery store over and over and over again. And even if they last half a century, these ID-phones will never be an acceptable substitute for computers that were originally devised simply to compute.
Very true, it is good to keep to specific things for specified purposes, as you say. They function much better and faster without being weighted down. Nothing can multi task or replace the human brain. Do not know why humans are always fighting this? Then they have security issues? Would not use your toothbrush as a toilet brush?
This was explained in Lord of the Rings (think ‘ring’ as in a ringing phone). The smart phone conveys special powers which are too attractive to turn down. In exchange, you are bound forever to the Lord of the One Ring.
“The smart phone conveys special powers..”
Unfortunately, as the article suggests, none of them are invisibility.
I got a smart phone on my own. The phone in question has Amazon bloatware on it (Yes, I know I’m backing a CIA ally), but was unlocked and designed to be used on any service. I am using a prepaid provider for my phone. Most of my phone’s surfing is via wifi. I may be spied on, but at least I avoid big data fees and spend less money for it.
Roger all that. Until about a year ago I had a GSM phone. When it died, I bought a cheap smart phone and spent the first week I owned it turning off stuff that I couldn’t de-install. Even so it occasionally tries to turn on the WiFi. Tape over the face-facing camera, naturally.
I have a prepaid plan with T-Moble, costs me about $20 per year because I don’t walk around with the phone glued to my ear. For the internet I use a real computer; my home wireless network is secured, with a very long pseudorandom password.
of Something4gooseegg is exactly what your parents did, got them in the trouble you so deplore and have to cope with. Question is: are you stupid enough to require a smarter phone than you or not?