Many social media apps sink their fangs into users’ devices to suck out their contact lists.
It makes sense. How else would they a) offer to hook you up with people you know and/or b) send a swarm of marketing email to pester your friends?
It’s not only potentially useful; it has the potential to drive your buddies insane with the resulting plague of marketing email, if LinkedIn’s past pestering is any indication.
And now, there’s a problem with the way that the latest viral sensation app, Sarahah, siphons contact lists. Namely, it is quietly sucking up users’ contacts, but it’s not giving them anything in return.
Sarahah, the latest people-rating app, bills itself as a way to “receive honest feedback” from friends and employees… anonymously. How the “anonymous” part of the equation jibes with showing users who else they know on the app is anybody’s guess.
Sarahah claims that on iOS it uses contact data to show users who in their address books are using the app. But according to Zachary Julian, a senior security analyst at Bishop Fox, the app is sucking up contacts without handing over the goods.
Zain al-Abidin Tawfiq, the developer who created Sarahah, said in a Tweet that the feature is in the works:
Sarahah App asked for contacts for a planned “find your friends” feature
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017
He also said, in a subsequent tweet, that the Sarahah database is currently empty: it has nary a single contact in it. Tawfiq said that the Find Your Friends feature was delayed “due to a technical issue,” that the database isn’t currently hosting contacts, and that the app’s data request is going to be yanked in the next release.
But there are a few issues with Find Your Friends that Twitter respondents, and Julian, posed to him:
- Why didn’t he wait until the feature was ready before gobbling up address books?
- Doesn’t Find Your Friend defeat the purpose of an anonymous people-rating app?
- Maybe Sarahah has some empty database lying around, but wherever else the data is flowing, the app’s been caught in the act of siphoning.
Some sound like they want to see Tawfiq’s father give him a little bit of “people rating” over the first issue:
You were caught in deception and you should be ashamed. You are also a coward for not owning up. Your father would likely slap your head.
— Dan Jovonovich (@DanJovonovich) August 29, 2017
Julian has posted a video to show the address book harvesting in action on Android. He notes that the iOS version of the app also contains functionality to send every phone number, email address and associated names on a device to Sarahah’s servers.
As soon as users log into the app, Sarahah attempts to upload all phone and email contacts. On iOS and Android 6+, the operating system will prompt the user before allowing access to the phone’s contacts, but phones running Android 5 and below – and there are a lot of them – won’t be prompted. All they get is the permissions prompt during installation from the Play Store.
On Android 5 and below, these requests will be issued silently and without user interaction. With an estimated 54% of users running Android 5 and below, this is probably a substantial amount of Sarahah’s 10 [million] to 50 million Android users.
It’s likely that most users permit access to their contacts without considering how this data may be used.
iOS does a better job at warning users about the data upload, he said, by explicitly prompting whether to allow the application access to the phone’s contacts and giving users a chance to say no.
Why should this trouble us? It’s not as if social media apps didn’t regularly request our contacts. But Julian notes that at this point, we don’t have the feature, and “all we have is the company’s word” that it’s coming.
We can take Tawfiq’s claims at face value — maybe that database is indeed an empty holder, without any contact details, be they phone numbers, names or email addresses.
Otherwise, given tens of millions of installs – Sarahah is a top free downloaded app on iTunes – that means tens of millions of address books harvested.
The thing is, Julian found that Sarahah did indeed upload his private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. Julian told The Intercept that his phone was outfitted with monitoring software, known as Burp Suite, that intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.
Sure enough, when Julian launched Sarahah, Burp Suite caught it uploading his private data.
Here’s some non-anonymous, honest feedback: there are many ways for personal data to be revealed, be it through data breaches or from a supposedly anonymous app offering to show users who else is using it.
If Sarahah is struggling with “technical” issues that caused it to prematurely grab data (that just maybe it shouldn’t be grabbing in the first place), should you trust that it will keep your name out of the picture when you give “honest” feedback about your boss?
Honestly? I’ll take a pass.