Sarahah app, the viral ‘honesty app’ that has become everyone’s favorite mobile application is now facing serious scrutiny from security experts after being found storing contact information without the knowledge of users.
What is the Sarahah app?
The Sarahah app is a Social Networking Communication Site and App that was developed by Saudi Arabian developer Zain al-Abidin Tawfiq. It was originally launched in November 2016 as a simple social networking web site.
In Arabic, Sarahah means ‘honesty,’ the core value from which the application was said to be founded.
According to an article from Mashable, Tawfiq’s original vision for Sarahah was to create a tool that would help employees provide unfiltered feedback to their employers.#Sarahahapp caught allegedly stealing contact information from its users!Click To Tweet
The Humble Beginnings of the Sarahah app
The ‘honesty app’ was built on the developer’s belief that anonymity can make people more honest with their messages. Tawfiq realized that the Sarahah app could potentially improve the process of providing constructive feedback to employees within the corporate setting. He said:
“There’s an issue in the workplace people need to communicate frankly to their bosses.”
However, the Arabian developer also believed that his program could help people share honest feedback with their friends without fear of causing conflicts or straining the relationship because of the anonymity provided by the app.
After sharing Sarahah with his so called ‘influencer friend,’ Tawfiq’s website which initially had around 70 users immediately gained momentum. The website went viral in different Arab countries and acquired thousands of users.
Because of its popularity, Tawfiq decided to launch the Sarahah app in the Google Play Store and Apple’s App Store on June 13th of this year. Shortly after its debut, people from around the world took notice of the ‘honest app’ and started downloading it.
By July, the Sarahah app was already on top of the most downloaded apps in over 30 countries worldwide and has more than 300 million users to date. However, things got shady for the viral app when a security analyst found out that the application was allegedly, quietly uploading phone contacts to the company’s server.
The Deal With Sarahah App Storing Contact Information
According to a report from the Intercept, Zachary Julian, a senior security analyst at the Bishop Fox allegedly installed the Sarahah app on his Samsung Galaxy S5 which runs on Android 5.1.1 Lollipop.
Julian’s phone was equipped with a BURP suite which monitors the traffic of everything that comes in and out of his mobile phone. The monitoring software can apparently track phone data that is being sent to remote servers.
Upon launching of the Sarahah app, the BURP suite immediately caught the app uploading his personal data onto Sarahah’s company server.
“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” Julian said.
Julian conducted further investigation and found out that the same thing happens for Apple mobile phones. However, in Apple smartphones and Android phones running newer versions of Android OS, an ‘access contacts’ prompt is being shown to the user.
The analyst also noticed that the Sarahah app re-uploads the contact information if you reboot the app or failed to use it for a while.
While apps requesting contact details and other information is nothing new, especially for applications requiring the use of such information, no such feature is available in Sarahah right now.
In his defense, Tawfiq responded to the report by saying that his app harvests and uploads contact information from the users’ phones to the company servers for an upcoming feature that will be implemented at a later time.
Tawfiq explained that a certain ‘find your friend’ feature is on the way but was delayed due to technical difficulties. He went on to say that the request for contact information will be removed on the next Sarahah app update.
What Other Experts Have to say About the Sarahah app
Drew Porter, the founder of security firm Red Mesa, said that this kind of behavior is common to free apps like Sarahah. While there are reasons to entrust address book data to an application program, Porter believes that people should still be vigilant.
“It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised.
It’s not just, ‘Oh, this company can see my information and I’m OK with that.’ You now have to think about the security of that company,” Porter explained.
Porter further added that what the company did was concerning.
“I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”
Will Strafach, president of Sudo Security Group Inc., shared the same sentiments, citing that since developers only have access to the servers and what is happening behind the user interface, no one can vouch for the security of the data. In a statement to the Intercept, he said:
“Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data. Additionally, there is no silver bullet to solving this.
My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”
Right now, Sarahah app users are advised to review their mobile phone settings and limit the permission given to the app until the update Tawfiq promised has been rolled out.