Sarahah, the app that allows users to anonymously comment on other users, is said to have over 18 million users cross Android and iOS. The app, one of the top three downloaded apps on iPhone, allows “honest feedback” and has become a major hit among younger users.
The company is under fire after reports that the app is gathering user information.
Sarahah allegedly downloads the user’s contacts along with phone numbers and email addresses. The app asks for permission to access the user’s contacts when installing, but does not state that the data will be uploaded back to the company’s servers.
A Bishop Fox security analyst Zachary Julian utilized a Galaxy S5 phone on Android, filled with monitoring software to intercept traffic. Julian determined that the app was uploading private data back to their server.
He found that every time a user logs into the app, it will upload private information back to the app’s server.
If the user has not logged into the app in a while, the app will share contact information again. The security testing video is available on Vimeo.
Sarahah’s founder has replied on Twitter, stating that the app “asked for contacts for a planned ‘find your friends’ feature.” He further states that the feature has been delayed due to technical issues. “The database doesn’t currently host contacts and the data request will be removed on next update,” he continues.
Sarahah’s founder, Zain al-Abidin Tawfiq, states that a partner was supposed to remove the coding to gather the user’s contacts, but has since stopped working with the company. He alleges that the developers “missed” the coding and failed to remove it.
The data, although sent to Sarahah’s servers, may not be stored, according to security specialists. Security specialists can only view what the device, in this case a Galaxy S5, is doing and not what the server is doing with the data.