'Honesty App' Sarahah Secretly Collects Users' Contacts for a Feature That's Still Being Planned
It was recently learned that Sarahah, also known as the Honesty App, has been collecting data from a user's phone contacts for an application feature that is still in its planning stage.
Sarahah started out as a Saudi Arabia-based app used by employees to send fearless feedbacks to their bosses without the worry of getting reprimanded because it hides the identity of the sender and offers no way of tracking them.
Recently, the app became one of the most downloaded apps both on the iOS and Android as it became somewhat of a social media platform with the promise of hiding people's identities.
However, a report has recently raised red flags as a researcher discovered that Sarahah servers were collecting data from the user's contact list.
Bishop Fox's senior security analyst Zachary Julian told The Intercept about his findings.
According to the report, Julian had installed Sarahah on his Galaxy S5 device that operated on Android 5.1.1. He also used a program called Burp Suite that gave him a log of the network data that went in and out of his device. When he opened the Sarahah app, this was when he learned that the software was collecting his contact list data.
Julian told The Intercept: "As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system." The security analyst also confirmed that Sarahah did the same thing with iOS devices.
Sarahah developer Zain al-Abidin Tawfiq briefly responded to the report and explained: "Sarahah App asked for contacts for a planned 'find your friends' feature." In a following reply, he denied Julian's claims and told a follower: "The Sarahah database doesn't currently hold a single contact."
Tawfiq added that the planned feature "was delayed due to a technical issue." Later on, the app developer promised that the "data request" will be removed in an upcoming update.