Popular Sarahah App secretly uploads your phone contacts to the company’s servers

Pierluigi Paganini August 28, 2017

According to a report published by The Intercept, the popular Sarahah app silently uploads users’ phone contacts to the company’s servers.

This summer, Sarahah became one of the most popular iPhone apps in the world for both iOS and Android.

Sarahah has been created by Saudi Arabian developer Zain al-Abidin Tawfiq, it implements a social network that lets users send and receive anonymous messages.

Sarahah app

It reached the top of the App Store in many regions, including Australia, Ireland, the U.S, and the UK.

Created by Saudi Arabian developer Zain al-Abidin Tawfiq, the app is essentially a social network that lets you send and receive anonymous messages.

Sarahah means “frankness” or “honesty” in Arabic, the name was chosen because the author believes that people are more willing to be honest when their messages are anonymized like the app does.

Today the Sarahah app has more than 18 Million users that probably ignore that the app may not be as private as they believe.

According to a report published by The Intercept, the app silently uploads users’ phone contacts to the company’s servers.

The discovery was made by the security analyst Zachary Julian, he discovered that once users have installed the Sarahah app for the first time, it harvests and uploads data in the address book.

“Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.” reads the report published by The Intercept. “When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.”

According to Zain al-Abidin Tawfiq, the contacts functionality was initially implemented to allow you to “‘find your friends’ feature.” anyway it would be removed in a future release.

Zachary Julian highlighted that the privacy policy doesn’t mention uploading data to a server.

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.

The good news is that users can block the app form accessing their contacts.

Since Android 6.0 Marshmallow OS, users can limit permissions for apps, just go to

Settings → Personal → Apps, now under Configuration App, open App permission and set the permission according to your needs.

Unfortunatel, around 54 percent of Android users are using older versions that don’t allow to limit permissions, and “users have to be savvy enough to know where to find the app permissions  and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Sarahah app, privacy)

[adrotate banner=”12″]



you might also like

leave a comment