Sarahah App May Not Be Safe For Android, iOS Users, Here's Why

By now you all already know about Saraha. This is the app that secretly allows users to send messages to one another. And it is a craze, if you go by the Sarahah screenshot that have flooded Facebook. The app sure is fun to use but now a new report says that it is also a possibly big privacy risk.The app is reportedly copying phone numbers from the phones of all those who have installed it and is sending those numbers to its own servers. The app is doing this without asking for explicit permission from users to copy phone numbers.

Although, after the report came, the app creator has clarified that this is for an unreleased feature that will be added in future to the app. It a way it is not that Sarahah doesn't ask to peek into a user's address book. When the app is installed, it seeks access to the phone numbers stored in a user's phone. But it doesn't specify that these numbers will also be copied and sent to Sarahah server.

The new report comes after a senior security analyst at Bishop Fox, Zachary Julian tried downloading the app and has revealed that Sarahah is collecting user's phone book information and uploading it to its remote servers. After the information was made public, Sarahah creator ZainAlabdin Tawfiq has explained that the app is copying phone numbers of users because it wants to offer a new feature in future. This feature, likely to be "find your friends with phone number", will be rolled out in future to Sarahah users, he says.

The Intercept was the fist website to report about this. The privacy angle of Sarahah comes into the limelight after Zachary Julian tried downloading the application on his Android phone and found out that Sarahah is asking to have access to his contact list and then it is uploading the information to its remote servers.

"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," Zachary Julian wrote. He also discovered the same happening on Apple's iOS as well. Even on an iOS device, Sarahah is asking permission to access to the user's contact list. "Julian also noticed that if you haven't used the application in a while, it'll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again," reports The Intercept.

Soon after the report went viral on Twitter, Tawfiq replied saying that it was done for some new feature that he and his team were planning to bring to the app. Tawfiq said, "Sarahah App asked for contacts for a planned "find your friends" feature." But then, it should be noted that there is no such feature to search friends on Sarahah as of now. Tawfiq further notes that "It was delayed due to a technical issue. The database doesn't currently host contacts and the data request will be removed on next update."

Although Sarahah is hardly the first app to do so, it's popularity means that it can't get away with something like harvesting phone numbers. Also, the fact that it is doing so without explicitly asking for it too aggravate the charges against it. Although the app does seek permission to contacts when you install it, it doesn't tell users that the contacts will be copied and then sent to remote servers. Sarahah creator says that the harvesting of phone numbers will be removed with the next update, but that brings up another question of what will happen to the user data that the app has already collected.

In another instance, founder of security firm Red Mesa, Drew Porter highlighted "that this type of behavior is more common than most users would expect, especially when an app is free like Sarahah." He further said, "I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don't know the security of the company that is getting it. We've seen popular apps before, total information leakage comes out, and it's devastating to those companies. I believe it's even more devastating to the user whose information was compromised."

Sarahah is used by millions of users, and it has also become one of the top trending application on the app stores for both Android phones and the iPhone. People are going crazy about the application. Some users are using Sarahah for fun, while others are using it as a means of cyber bullying. For users who are misusing the application, you should be careful. This is no baseless comment, but then Sarahah founder himself said that in an exclusive interview with the India Today Group. He said that this app was created to allow users send constructive messages to each other, and strict action would be taking against people misusing the anonymous nature of the app to troll or bully others. He added that if an app user didn't follow the privacy policy as stated by Sarahah, his/her identity could be revealed.