Information Security / Sarahah app harvesting contacts and email addresses from millions of devices
Sarahah app harvesting contacts and email addresses from millions of devices
31 August 2017 |
Sarahah, the popular messaging app that offers people anonymity while sending messages to others, could be invading your privacy more than you think.
Researchers have noticed that Sarahah transfers contact information of users to its servers without offering anything in return.
Sarahah debuted in the Middle East earlier this year, but after its international version was launched this summer, it has so far attracted over 20 million users. And why not? The app offers people the anonymity they need to come clean with their thoughts about others without facing the risk of being discovered.
Such has been its popularity that millions of users are now sharing messages they receive on the Sarahah app on their Facebook and Twitter feeds. These range from appreciations and outpourings of love to brutally honest opinions and criticisms. While the anonymity may open the gates to abuse and cyber bullying, and it has to an extent, the app has been holding up well so far.
However, researchers are now suggesting that despite the anonymity it offers, Sarahah's developers aren't as privacy conscious as users may believe. According to security researcher Zach Julian, the app contains a functionality 'to send every phone number, email address, and associated names on a device to Sarahah’s servers'.
After the app is installed on an iOS or Android device, it accesses all phone contacts and email contacts stored on the device and sends them over to its server. While iOS users will receive notifications asking for their permission so that Sarahah could access contacts, only those using Android phones with Android 6.0 Marshmallow OS will receive such notifications.
This means that the vast majority of Android device users who are using Android 5.1 Lollipop or older versions cannot control Sarahah's access to device contacts. While accessing contacts is a thing that thousands of apps do, what Sarahah does is that it harvests such information without offering anything in return to app users.
'While it’s not uncommon for mobile applications to upload your contacts as part of a ‘find your friends’ feature, Sarahah has no such functionality. The creator of Sarahah has replied that this was planned for future implementation, that no contact data is stored, and that the application will not upload contacts in the next update,' said Julian.
'Sarahah, on both Android and iOS, does not provide users enough information on how their phone’s contact details will be used. While this functionality is claimed to be part of a future release, and that “the Sarahah database doesn’t currently hold a single contact”, unfortunately all we have is the company’s word,' he added.
According to Zain al-Abidin Tawfiq, the creator of Sarahah, the app harvests contact information from devices so that it can offer users a ‘find your friends’ feature in the future. The release of this feature was delayed due to technical reasons but the app stores no contacts in its database anymore.
Drew Porter, founder of security firm Red Mesa, told The Intercept that while people may be willing to share their contacts with Sarahah, they shouldn't do so until they are aware of the security of Sarahah's servers which store their sensitive details.
“I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised," he said.
With Sarahah able to access contact lists of millions of Android and iOS users, it remains to be seen if its owners will be able to secure such information from hacking attempts in the future, or if they'll provide fresh evidence to cyber security experts to prove their claim that their servers no longer hold such information.
Latest posts by Jay Jay (see all)
- TalkTalk failed to inform 4,545 customers that they were victims of 2015 breach - 22nd May 2019
- Google stops Huawei’s access to Android updates and Google services - 20th May 2019
- Ten cyber criminals behind GozNym malware operations indicted in the US - 16th May 2019
- Less than 1% of data breach investigations by ICO resulted in monetary fines - 16th May 2019
- Huawei commits to signing non-spy agreement with Britain - 15th May 2019