Hi guys!
I read the very useful information about the application that I saw the most on my facebook the past few days. Can you guess what it is?
SARAHAH, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.

You should beware of this app because the anonymous feedback application may not be as private as it really sounds.

Sarahah is a newly launched app that has become one of the hottest iPhone and Android apps in the past couple of weeks, allowing its users to sign up to receive anonymised, candid messages from other Sarahah users.

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

You can see some of his testing in this video.

Sarahah uploading address book data from The Intercept on Vimeo.

While an app requesting access to the user’s phonebook is quite common if the app provides any feature that works with contacts, no such functionality in Sarahah is available right now.

However, the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company’s servers for a feature that will be implemented at a later time.

Tawfiq said that users’ contact lists are being uploaded “for a planned ‘find your friends’ feature,” which was “delayed due to a technical issue” and was accidentally not removed from the Sarahah’s current version.

Tawfiq also assured its users that “the data request will be removed on next update” to the app and that Sarahah’s servers do not “currently host contacts,” which is, of course, impossible to verify.

It’s not entirely clear what Sarahah uses uploaded contact lists for, although the app’s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it’s part of bulk data used for statistics and research.

Newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. However, all but the most expensive Android phones are notoriously slow to receive updates like Marshmallow, and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions. To do so Go to Settings → Personal → Apps, now under Configuration App, open App permission and limit permission of apps you like.

If you read this information, share it with your friends so they know about it.
Thanks you!


Leave a Reply