Skip to content
Naked Security Naked Security

People-rating app Sarahah slurps up contacts for feature that doesn’t exist

And why would an apparently anonymous app want to suck your contact details to show to other users anyway?

Many social media apps sink their fangs into users’ devices to suck out their contact lists.

It makes sense. How else would they a) offer to hook you up with people you know and/or b) send a swarm of marketing email to pester your friends?

It’s not only potentially useful; it has the potential to drive your buddies insane with the resulting plague of marketing email, if LinkedIn’s past pestering is any indication.

And now, there’s a problem with the way that the latest viral sensation app, Sarahah, siphons contact lists. Namely, it is quietly sucking up users’ contacts, but it’s not giving them anything in return.

Sarahah, the latest people-rating app, bills itself as a way to “receive honest feedback” from friends and employees… anonymously. How the “anonymous” part of the equation jibes with showing users who else they know on the app is anybody’s guess.

Sarahah claims that on iOS it uses contact data to show users who in their address books are using the app. But according to Zachary Julian, a senior security analyst at Bishop Fox, the app is sucking up contacts without handing over the goods.

Zain al-Abidin Tawfiq, the developer who created Sarahah, said in a Tweet that the feature is in the works:

He also said, in a subsequent tweet, that the Sarahah database is currently empty: it has nary a single contact in it. Tawfiq said that the Find Your Friends feature was delayed “due to a technical issue,” that the database isn’t currently hosting contacts, and that the app’s data request is going to be yanked in the next release.

But there are a few issues with Find Your Friends that Twitter respondents, and Julian, posed to him:

  1. Why didn’t he wait until the feature was ready before gobbling up address books?
  2. Doesn’t Find Your Friend defeat the purpose of an anonymous people-rating app?
  3. Maybe Sarahah has some empty database lying around, but wherever else the data is flowing, the app’s been caught in the act of siphoning.

Some sound like they want to see Tawfiq’s father give him a little bit of “people rating” over the first issue:

Julian has posted a video to show the address book harvesting in action on Android. He notes that the iOS version of the app also contains functionality to send every phone number, email address and associated names on a device to Sarahah’s servers.

As soon as users log into the app, Sarahah attempts to upload all phone and email contacts. On iOS and Android 6+, the operating system will prompt the user before allowing access to the phone’s contacts, but phones running Android 5 and below – and there are a lot of them – won’t be prompted. All they get is the permissions prompt during installation from the Play Store.

Julian:

On Android 5 and below, these requests will be issued silently and without user interaction. With an estimated 54% of users running Android 5 and below, this is probably a substantial amount of Sarahah’s 10 [million] to 50 million Android users.

It’s likely that most users permit access to their contacts without considering how this data may be used.

iOS does a better job at warning users about the data upload, he said, by explicitly prompting whether to allow the application access to the phone’s contacts and giving users a chance to say no.

Why should this trouble us? It’s not as if social media apps didn’t regularly request our contacts. But Julian notes that at this point, we don’t have the feature, and “all we have is the company’s word” that it’s coming.

We can take Tawfiq’s claims at face value — maybe that database is indeed an empty holder, without any contact details, be they phone numbers, names or email addresses.

Otherwise, given tens of millions of installs – Sarahah is a top free downloaded app on iTunes – that means tens of millions of address books harvested.

The thing is, Julian found that Sarahah did indeed upload his private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. Julian told The Intercept that his phone was outfitted with monitoring software, known as Burp Suite, that intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.

Sure enough, when Julian launched Sarahah, Burp Suite caught it uploading his private data.

Here’s some non-anonymous, honest feedback: there are many ways for personal data to be revealed, be it through data breaches or from a supposedly anonymous app offering to show users who else is using it.

If Sarahah is struggling with “technical” issues that caused it to prematurely grab data (that just maybe it shouldn’t be grabbing in the first place), should you trust that it will keep your name out of the picture when you give “honest” feedback about your boss?

Honestly? I’ll take a pass.


7 Comments

Those on social media, deserve what they get. There’s nothing socially redeemable about any of these sites.

Social media is work for many people: we at Naked Security have a Facebook page and a Twitter account, and it’s part of my job to look after those. For others, it’s important networking; still others use social media to stay in touch with distant family and friends. Last night I had dinner with a friend who’s lived in Australia for many years – we stay in touch via Facebook and catching up with her and renewing our 30+ year friendship, as we do every couple of years, was a joy.

So please don’t victim-blame, and please bear in mind that while you might think social media is irredeemably trivial, it most certainly isn’t for many of its users.

Seriously? How did all these important encounters happen before social media came about? Oh yeah that’s right, they visited, and wrote letters, and spoke on the phone. It really is time for people who live on these sites to find real value in their life. Now there are reports of the IRS scanning social media to decide who they’ll audit. That is the least nefarious of things that are happening with it. Someone once told me that a job only counts when you produce something. It’s time to think about what your job actually does.

It’s another, more immediate, way of doing the same thing. You don’t like it, that’s totally fine, but what on earth is the point is being so hostile about something that, while a very long way from perfect, nonetheless does a good job of building and strengthening connections? And I’m pretty sure my job produces something of value: you’re here, reading the stories and being sufficiently engaged to spend time commenting on it, which I’m pleased about. Incidentally, this kind of commenting community is also social media.

When I was a kid, if we wanted to call somebody on the phone who lived abroad, it cost a lot of money and the connection was very bad, it was hard to hear what the other person said. Calls had to be very short and sweet.

Letters took weeks round trip to have a conversation. It wasn’t that long ago, though I guess every old person says that.

A little bit before my time but still not that long ago, if you wanted to make an international call you had to go to the post office first to arrange a time by telegram that both people could go to the post office to do the call and it cost an arm and a leg.

Now I can talk to a friend anywhere in the world for free. in real time.

If you don’t like it, you can opt out.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?