The widely-used application that has only recently gained popularity amassed over 18 million downloads combined both on Apple and Google online stores. Its legitimacy has come under fire with researchers discovering critical privacy issues within the application.
What Is Sarahah and How does It Function?
The premise of the application is that it sends anonymized, blunt messages to its users, serving as a way to receive “honest feedback” both from employees, friends and other impartial users with the aim to constructively contribute to whatever ideas or individual development you strive to achieve. The application has become the third most downloaded free software on iOS.
Sarahah is the most recent application in a series of applications developed in Saudi Arabia. The now defunct “Secret” which ensured its users of having full anonymity, however, did not go down without any controversial privacy issues. After launching the application – Secret, it extracts, obtains and uploads all contact numbers and email addresses for the user’s phone book or contacts directory. All of this is done without the prior knowledge or consent of the user. In the case of Sarahah, the procedure is not so much radically different from Secret. Once the application has been downloaded and launched, Sarahah asks to obtain permission from the user to access their contacts, it does not, however, reveal its intention in regards to how the contacts will be used and what for. Hence, the data is uploaded to an entirely unidentified server, for unknown to the user reasons.
According to Zachary Julian, Bishop Fox’s senior security analyst, when he installed the application on his Galaxy S5 Android 5.1.1, he was able to trace the suspicious activity exhibited by Sarahah in uploading private information to unknown servers. He was able to conclude his observations via using a BURP Suite, which is a software installed for monitoring and intercepting any incoming and outgoing internet traffic on the device it has been mounted on. Thus, the owner of the device can track and monitor any data, where it is sent and to whom, essentially spotting the unidentified server his contacts were being sent to without his permission. The method utilized by the application in its attempt to obtain and upload users’ contacts is the same across Android and iOS devices alike – prompting permission to access their contacts.
Julian was able to elaborate on his initial findings when he observed that the application would actually share his contacts to the server if it has not been used in a while. He implemented data sharing tactics of Sarahah, using the app on Friday night and booting it on Sunday morning, enough time for the application to have uploaded his contacts to the unidentified server.
The developer of Sarahah, Zain al-Abidin Tawfiq in return responded to the news by asserting on Twitter that the issue will be looked over and fixed immediately. Speaking with The Intercept, Tawfiq elaborated on the issues by stating that the feature was developed with a whole different purpose in mind, mainly as a way to “find your friends,” however, the feature got altered due to an unexpected technical problem. The staff responsible for fixing the issue had allegedly not been able to fix it due to misunderstandings within the managerial structure of the firm. Nonetheless, Tawfiq has asserted that their application does not store users’ contact in the company’s database.
The Larger Issue at Stake with Applications Like Sarahah
It can be argued that with applications as Sarahah, such issues are in abundance and quite the common occurrence. What should be worrying is not so much about potential data being illegally stolen from your device, rather how is that data going to be used– that is being stored somewhere remote and unbeknownst to you, and outside your control. The security of the company is fundamental to privacy protection. It is concerning so much as to the critical nature of the information being retrieved and handled by the firm. Large application developers have been hacked before causing leakage of information to pour out into the abyss of the internet for everyone to use however they may wish to. Not being able to trust the security of the company let alone know the state of it could be detrimental and have devastating consequence both to individuals and their private information as well as business assets.
Julian that the company has deliberately designed the feature rather than it being a careless company misunderstanding, more so because it asks for permission to access user’s contacts without ever hinting at sharing that information with an external server. On the one hand, on iOS devices, it certainly does ask for permission to access your contacts “to show you who has an account in Sarahah,” while on the other hand, on Android devices, reasons and notifications for accessing your contacts are omitted.
Sarahah’s privacy policy specifically outlines that if it plans to use your data, it will ask for your consent. However, this cannot be used as a justification for obtaining and uploading your contacts list onto an unidentified server without notifying the user first. By the same token, on iOS devices, the application never displays who else is using Sarahah although it claims to do so while requesting permission to access the user’s contacts list.
As it stands now, it is yet unclear as to why and how this information is being collected and utilized although it does mention in Sarahah’s privacy policy that any information obtained will not be sold to third parties without the user’s consent. Whether the company comes clean to its users or not, it will be a matter for the future. Until then we would have to wait and see.