Sarahah App Secretly Uploads your Entire Contact List



I'm sure most of you have used Saraha or atleast saw your friends sharing the 'Feedbacks' they received from this app/website. This app became viral in US and even in India in a very short time. Even if the app was to receive honest feedback from friends, people used it to abuse and bully other people.

I remember when the app was first released many people questioned why this app is asking for so many permissions ? An app requesting access to the user's phonebook is quite common if the app provides any feature that works with contacts, but what shocking is that, there is no such functionality in Sarahah is available right now.

Zachary Julian, a senior security analyst at Bishop Fox, discovered something serious about Sarahah. He found that the app is uploading private information from the phone to its server. Zachary tested the app on his Galaxy S5 running Android 5.1.1 and used BURP Suite to intercept traffic. He found that the app is uploading his private data.

He confirmed that the app transmits all of your email and phone contacts stored o Android phone. He also verified the same with iOS and found the same thing.

Here is a video demonstration by Zachary Julian


Sarahah uploading address book data from The Intercept on Vimeo.

As soon as the news broke out,  the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company's servers for a feature that will be implemented at a later time.

All newer Android operating systems (starting with Android 6.0 Marshmallow) allows users to limit permissions for apps, users can limit permissions so that apps do not gain access to contacts or other information that doesn't have anything to do with the app's functioning.

So next time when you use such an app, have a look at the permissions that it is asking for.