Hit App Sarahah Quietly Uploads Your Address Book

Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again. (You can see some of his testing in this video.)

Sarahah did not initially respond to requests for comment. After this piece was published, the app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends’ feature.” He later told The Intercept the feature was stymied by “technical issues” and that a partner, who he has since stopped working with, was supposed to remove it from the app but “missed that.” He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.

Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when apps, like Sarahah, are free. He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app. “It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said. “It’s not just, ‘Oh, this company can see my information and I’m OK with that.’ You now have to think about the security of that company.”

When asked about Sarahah, Porter added, “I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”

Will Strafach, president of Sudo Security Group Inc., pointed out that security researchers and app reviewers can only see what is happening on the device itself, rather than server side, making it impossible for anyone but the developer to know if the data is being stored or just used, and if stored, how well it is protected. “Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data,” he said. “Additionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”

But Julian thinks that Sarahah uploading contacts is disconcerting, especially given the app’s popularity, and especially since most users don’t expect it to occur. On iOS, the app says, “The app needs to access your contacts to show you who has an account in Sarahah,” and allows the user to choose between “OK” and “Don’t Allow.” On Android, the app in some cases requests access to contacts without giving any reason for needing such access, and in other cases makes no such request. On neither operating system does it mention uploading data to a server. “The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.

Despite claiming on iOS to use contact data to show the user who in their address book is on Sarahah, the app does not actually do so, Julian said, judging from his testing. If Sarahah did ever begin showing which of your contacts are on its network, as advertised, this would lead to a new problem: It would make it far easier to deduce who is sending messages. For now, it’s not clear how the data is being used.

“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said. Sarahah is among the top five most downloaded apps in Google’s Play Store for Android, according to analytics firm App Annie.

It’s not entirely clear what Sarahah uses uploaded contact lists for, although the app’s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it’s part of bulk data used for statistics and research.

Newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. However, all but the most expensive Android phones are notoriously slow to receive updates like Marshmallow, and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).

Other apps that send users’ contacts to external servers are more forthright in their privacy policies. For example, the so-called ephemeral messaging app, Snapchat, which settled FTC charges in 2014 that its promises of disappearing messages were false, and which also transmitted user location and collected user address books without notice or consent, now has a robust privacy policy which states that the app “may — with your consent — collect information from your device’s phonebook,” and that if you allow this, and you’re in another user’s contacts, that it may combine information collected from their phone book with what they have collected about you. The prompt to add contacts states: “Find your friends. See which of your contacts are on Snapchat!” and the popup on iOS clearly says that the contacts will be uploaded to Snapchat’s servers “so you and others can find friends, and to improve your experience.”

Sarahah appears to be a much smaller operation than Snapchat. It was created in Saudi Arabia by Tawfiq, according to news accounts. It is just the latest in a series of apps pairing promises of anonymity with troubling privacy practices. Another was Secret, now defunct, which was supposed to traffic in anonymized messages from friends and mutual friends. In 2014, security researchers were able to decloak posters on the app by tricking the app’s contact-matching system.

A silver lining for Sarahah users concerned about privacy is that they don’t need to download the service’s app. It’s possible to send messages on Sarahah and register to receive messages on Sarahah, via a website. And that site doesn’t ask for or access contacts from any of your digital address books.

Still, if Sarahah intends to continue scooping up user’s contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going — and to provide them with a legitimate reason as to why the app actually needs it.

Top photo: A photo of Sarahah, a new app that lets people anonymously critique one another.

Update: Aug. 27, 2017, 1:35 p.m.

This piece was updated to include a new estimate of Android Sarahah installs from Julian.

Update: Aug. 27, 2017, 9:45 p.m.

This piece was updated to include a response from the creator of Sarahah.