Sarahah App Secretly Steals Your Entire Contact List

Sarahah is a newly launched app that has become one of the hottest iPhone and Android apps in the past couple of weeks, allowing its users to sign up to receive anonymised, candid messages from other Sarahah users.
However, it turns out that the app silently uploads users’ phone contacts to the company’s servers for no good reason, spotted by security analyst Zachary Julian.

When an Android or iOS user downloads and installs the app for the first time, the app immediately harvests and uploads all phone numbers and email addresses from the user’s address book, according to The Intercept.

While an app requesting access to the user’s phonebook is quite common if the app provides any feature that works with contacts, no such functionality in Sarahah is available right now.

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent, while the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not enough consent to justify sending all of those contacts over without any kind of specific notification”

However, the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company’s servers for a feature that will be implemented at a later time.

Tawfiq said that users’ contact lists are being uploaded “for a planned ‘find your friends’ feature,” which was “delayed due to a technical issue” and was accidentally not removed from the Sarahah’s current version.

Tawfiq also assured its users that “the data request will be removed on next update” to the app and that Sarahah’s servers do not “currently host contacts,” which is, of course, impossible to verify.

Sarahah took the Internet by storm within few weeks, making the app the third most downloaded free application software for iPhones and iPads. The app has already been downloaded by an estimated 18 Million users from Apple and Google’s online stores.

However, you can still use Sarahah by blocking the app from accessing your contacts, without risking your contacts to be uploaded to its servers.

Since newer Android operating systems (starting with Android 6.0 Marshmallow) do allow users to limit permissions for apps, users can limit permissions so that apps do not gain access to contacts or other information that doesn’t have anything to do with the app’s functioning.

To do so, Go to Settings → Personal → Apps, now under Configuration App, open App permission and limit permission of apps you like.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.