The app Sarahah hit the market with a bang at the beginning of this year. As a free download, it was quickly installed onto millions of phones around the world. It now turns out that this extremely popular free app can give the server access to your contact data. It does this without your permission or knowledge. The app collects the users’ contacts from both Android and Apple smartphones.
Sarahah is an anonymous feedback app. This means that it steals all contacts, including email address without the user knowing. This data is sent back to the server, who could potentially use without the knowledge or consent of the user.
The app went viral earlier this year and once installed it collects data freely off the actual phone itself.
This security flaw was first noted by Zachary Julian a researcher at Bishop Fox security. When brought to the attention of the app founder he made the following response.
The app founder Zain al-Abidin Tawfiq said the app was designed to be used as a “find your friend” concept. This was not included in the final app and was planned as a later upgrade. He responded to the issue via Twitter. In his tweets, he claims there was a technical problem and the data collection feature was supposed to have been removed from the app. This did not happen.
He said that Sarahah has taken the feature off its server and does not have a database of the stored contacts. There is no way to check up on this statement. As yet we have to take his word for it.
Although some incidents of data capture can be innocent, there is always the risk attached to our information being available to less innocent parties. Sudo Security Group president Will Strafach stressed the risk of contact information getting into the wrong hands. He noted it could be used maliciously.
A further worry is there is no easy solution to the problem. Each app that collects data would need a bespoke solution to protect the users. Strafach said that there are many apps that collect data and there is no guarantee that this information is securely looked after by the server.
Sarahah has been downloaded onto more than 180 million phones across the globe. These downloads have mainly been through Apple and Google, online facility. It did hold the ranks in the top three of most downloaded free apps. It initially proved popular particularly for devices such as iPhone and iPad. This ranking is now falling. Its popularity in the US, UK, other Western countries, and Asia spread from its use in Canada.
This flash of interest happened earlier this year first popularised by a group of Arab expats than in Canada. Its popularity raises concerns as the app does ask permission to access your phone, but doesn’t actually tell you to want it will be accessing. This means when you give permission it can access anything including your contact information. A further concern is its very popularity can lead to it being used to spread the crimes of cyber bullying.