Popular app Sarahah uploads your data without your consent

Written by Ali Leghari ·  1 min read >

Sarahah, anonymous feedback app, took the world by storm and is still going strong in almost 30 countries including USA, France, and Saudia Arabia. Sarahah, which means “honesty” in Arabic is an app which allows users to send and receive honest feedback while keeping their anonymity. However, the app is doing more than just giving a platform to people to give or send feedback, it, after users launch the app for the first time in mobile, collects and uploads your data which comprises of phone numbers and email addresses.

The app sometimes asks for permission to access the contacts. However, no message pops up which states that the app will upload the data in any manner whatsoever. The iOS version of the app, after a user launches it for the first time, asks permission to access your contacts to let you know how many persons in your contact list are using the app while giving the option to “allow” or “don’t allow”. On the contrary, the app for Android in some cases asks for such permission but “on neither operating system does it mention uploading data to a server.”

This phenomenon was first discovered by Zachary Julian— a senior security analyst at Bishop Fox. When Zachary launched the app on his Android phone, which was embedded with a BURP Suite— a software which monitors traffic flow entering and leaving the smartphone, he saw that the app is uploading its private data and is sending it to remote servers without his consent.

Read more: Meet the man who created Sarahah, the leading app in 30 countries right now

The creator of the app, Zain al-Abidin Tawfiq, said in a tweet that contacts data was being uploaded due to company’s “planned “find your friends” feature” update which delayed to some technical issue. However, while taking to a news media outlet, Zain al-Abidin Tawfiq, said that this functionality was supposed to be eliminated by his partner who once worked with him but somehow he “missed that”. Zain also said that as of now this function has been removed from the app, which no one can verify.

The use of one’s private data without his/her consent is against company’s policies, terms, and condition. The company writes on its website, “We didn’t design this website to collect your personal data from your computer while browsing this site. But will only use the data you provided with you being aware and your personal desire.When we need any data from you. We will ask you for your consent. As this data will help us contact you and satisfy your orders whenever possible. We will never sell the data you provide to any third party as part of personal marketing without your prior and written consent unless t was a part of bulk data used for statistics and research and it won’t contain any data to identify you.”

It is quite appalling that a user’s whole address book is uploaded to a server. In case the server is compromised, millions of contacts and address will be out on the internet for everyone to see and exploit.

The Sarahah app debuted on 13th June on Apple’s app store.