The Popular Sarahah App Has Been Secretly Saving All The Data In Your Address Book

Sarahah, the popular anonymous messaging app, built as a platform for honest feedback, has reportedly also been saving all the contacts in your phone.

It turns out, when you initially download and install the application, it saves and uploads your phone contacts and email addresses to the company’s servers, seemingly for no good reason. The behavior was first reported by The Intercept.

Sarahah’s founder, Zain Al-Abidin Tawfiq, tweeted in response to The Intercept’s article , saying that the contacts were being uploaded for a planned “find your friends” feature. The feature was then delayed due to “technical issues” and was accidentally not removed from the current version of the app. He added that “the data request will be removed on next update.”

Sarahah App asked for contacts for a planned "find your friends" feature

— ZainAlabdin Tawfiq (@ZainAlabdin878) August 27, 2017

The app doesn’t entirely hide that it’s interested in your contacts. On both iOS and Android, Sarahah asks for permission to access each user’s phone contacts – and even if you say no, you can still continue to use the app.

Zachary Julian, a senior security analyst at Bishop Fox, was the first to report the behavior to The Intercept. When he downloaded Sarahah to his Android phone, a monitoring software installed on the device alerted him to the fact that the app was uploading his private data. Julian reportedly found that the same occurs on iPhone, and that the app will also re-download all of your contacts if you haven’t accessed it on your phone in some time.

One of the most downloaded apps, Julian estimates that it is possible that Sarahah may have already harvested hundreds of millions of phone numbers and email addresses. Rest assured though (hopefully) – the app’s privacy policy notes that it will “will never sell the data you provide to any third party” without users’ prior and written consent unless part of bulk data used only for research and does not identify the user.

Earlier this year, users of the service Unroll.me grew upset when it was reported that the company sold their data to Uber. While this kind of activity is often covered in an app’s terms of service, that certainly doesn’t mean most users are going to be aware of it.

Sarahah’s founder makes it sound like the company isn’t doing anything with the data it collects. But either way, that information seems to be needlessly getting sent to a company’s server when it doesn’t really need to be.

What are your thoughts? Share them down below in the comments.