The viral 'honesty app' Sarahah, on which you can send or receive anonymous messages, is not as anonymous as it appears as the app has been found uploading the user's phone contacts on to the company's servers.
Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.
"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," a report in The Intercept on Sunday quoted Julian as saying.
He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Though the app asks for user's permission to access contacts, there is no such feature in the app where these contacts would be required or even a search feature where users can look up for a friend using a contact number.
However, Sarahah's founder Zain al-Abidin Tawfiq said contact lists were being uploaded "for a planned 'find your friends' feature" that was not yet released.
In a tweet, Tawfiq wrote that the data request will be removed on next update.
It often seems suspicious if users do not get anything out of granting access to apps to their contact lists.
For example, earlier in 2017, the newsletter unsubscription service Unroll.me drew a lot of criticism following allegations that it sold user data to cab-hailing service Uber.