Anonymous Message App Sarahah Might Compromise Your Contacts

This was, at one time, the third most-downloaded free app for the iPhone and iPad. Sarahah, according to its description, “helps you in discovering your strengths and areas for improvement by receiving honest feedback from your employees and your friends in a private manner.”

When you sign up for Sarahah, it allows you to receive anonymous messages from other users. These messages might be thoughts of encouragement, helpful criticism, or praise for something you’ve been doing particularly well. The app is pretty new to the mobile economy, but has grown by leaps and bounds, supposedly because of its ability to maintain complete anonymity when you’re telling someone else what you think about them.

In truth, it seems that Sarahah is collecting more than just feedback messages. According to Zachary Julian, a senior security analyst at Bishop Fox, Sarahah immediately harvests and uploads all of the information you have saved in Contacts. That’s a pretty clear case of an app that can, and probably does, compromise your Contacts and the anonymity of everyone you know.

When you first launch Sarahah, it asks for permission to access your Contacts. It claims that it needs that information to show you who has an account on Sarahah. Presumably, this could be used to help you find your friends and start sending them feedback. According to Julian, that’s not actually happening.

What Julian discovered, after tracing what the app was doing on his Samsung Galaxy S5 running Android 5.1.1, is that the app immediately began uploading his contact information to some unknown server. Using a collection of monitoring apps called Burp Suite, Julian was able to catch Sarahah in the act.

Julian confirmed this same behavior happens on iPhone and iPad devices, and it doesn’t just occur once. If you don’t use the app in a while, it shares your contacts all over again. Julian did some testing on the app one Friday night, and then noticed it uploading contact information again when he relaunched Sarahah the following Sunday morning.

Julian wasn’t able to ascertain what the app was actually doing with the address book it uploaded to Sarahah’s servers. He noted that the app does disclose it needs access to your Contacts, but doesn’t tell you it’s going to upload that information from your phone. Nor does it seem to make any functional use of the data. What’s troublesome is the fact that many people store more than just telephone numbers and addresses for their associates, friends, and family members in Contacts. It’s not uncommon to also include birthdays, anniversaries, and other personal information.

Sarahah creator Zain al-Abidin Tawfiq tweeted that the Contacts functionality was going to be removed in a future update. Apparently, the need for access to Contacts was for an intended “find your friends” feature that was stymied by “technical issues” and eventually scrapped. Tawfiq told The Intercept that a former partner was supposed to remove the Contacts functionality from the app, but “missed that.”

Tawfiq did say that the functionality was removed from Sarahah’s servers, and none of the contact information is stored within its databases. That is, of course, all but impossible to confirm or deny. It seems, though, that to “miss that” with a feature that can compromise your Contacts should be considered a pretty big deal.

If you aren’t worried about your privacy and want to take Sarahah for a spin, you can download it on the App Store. The good news here is that if you are privacy-conscious and don’t want to install an app that might compromise your contacts, you can use Sarahah without the app. Just go to the service’s website and do everything from there, where you aren’t required to provide the data from your Contacts.