According to a report published by The Intercept, the popular Sarahah app silently uploads users’ phone contacts to the company’s servers. This summer, Sarahah became one of the most popular iPhone apps in the world for both iOS and Android. Sarahah has been created by Saudi Arabian developer Zain al-Abidin Tawfiq, it implements a social network that lets users send and receive anonymous messages. It reached the top of the App Store in many regions, including Australia, Ireland, the U.S, and the UK.

Created by Saudi Arabian developer Zain al-Abidin Tawfiq, the app is essentially a social network that lets you send and receive anonymous messages.

Sarahah means “frankness” or “honesty” in Arabic, the name was chosen because the author believes that people are more willing to be honest when their messages are anonymized like the app does.

Today the Sarahah app has more than 18 Million users that probably ignore that the app may not be as private as they believe.

According to a report published by The Intercept, the app silently uploads users’ phone contacts to the company’s servers.

The discovery was made by the security analyst Zachary Julian, he discovered that once users have installed the Sarahah app for the first time, it harvests and uploads data in the address book.

“Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.” reads the report published by The Intercept. “When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.”

According to Zain al-Abidin Tawfiq, the contacts functionality was initially implemented to allow you to “‘find your friends’ feature.” anyway it would be removed in a future release.

When first launched, this app harvests and uploads all phone numbers and email addresses in your address book. https://t.co/MOfzqQ9KmI — The Intercept (@theintercept) August 27, 2017

Zachary Julian highlighted that the privacy policy doesn’t mention uploading data to a server.

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.

The good news is that users can block the app form accessing their contacts.

Since Android 6.0 Marshmallow OS, users can limit permissions for apps, just go to

Settings → Personal → Apps, now under Configuration App, open App permission and set the permission according to your needs.

Unfortunatel, around 54 percent of Android users are using older versions that don’t allow to limit permissions, and “users have to be savvy enough to know where to find the app permissions and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).”

Share this...

Linkedin Reddit Pinterest

Share On