Sarahah, the anonymous messaging app that shot to the top of app stores earlier this summer, says it plans to remove a feature that uploads users’ contacts, including phone numbers and email addresses to the company’s servers, in the next update.
The app’s creator, Zain al-Abidin Tawfiq, caught flak over the weekend after The Intercept reported Sarahah was failing to ask for the user’s permission before uploading the data.
The app, which allows users to anonymously compliment or critique friends or co-workers, is the 45th most downloaded app on iTunes currently but hit No. 1 on the App Store’s list of top free apps in July. The app has been installed between 10,000,000 and 50,000,000 times on Android devices worldwide, according to the app’s listing on Google Play.
Sarahah, which translates to “frankness” or “honesty” in Arabic, doesn’t hide that it wants to access a user’s contacts. Upon opening the app it says it needs to access contacts in order to show users who else has a Sarahah account. A user can elect not to allow the app access to their contacts and still use it however.
According to The Intercept‘s report, Zachary Julian, a senior security analyst at Bishop Fox, discovered the app’s behavior after installing Sarahah on his Galaxy S5 running 5.11 and monitoring its traffic via BURP Suite, a toolkit used for web app security testing.
Tawfiq did not immediately return Threatpost’s request for comment but responded to The Intercept on Sunday morning. According to the developer, user data was being uploaded for a “Find Your Friends” feature that was supposed to surface in the app in a future update but had been delayed due to a technical issue. The developer stressed on Sunday morning – and again on Monday morning – that the app’s database doesn’t contain “a single contact.”
“The database doesn’t currently host contacts and the data request will be removed on next update,” Tawfiq tweeted.
The Sarahah database doesn’t currently hold a single contact.
— ZainAlabdin Tawfiq (@ZainAlabdin878) August 28, 2017
It’s unclear exactly when that update is slated for; the app was last updated for iOS on July 27 and for Android on July 28.
Privacy conscious users in the meantime users could disable their current account and register a new one for service via its website. The website requires users have an email, password, username, and name to sign up for an account, no contacts required. After doing so a user would have to share their page publicly in order to receive anonymous messages.
Just because mobile applications bill themselves as anonymous doesn’t mean they’re free from security issues.
Years ago Yik Yak, a now-defunct cross-platform app that let users share anonymous updates with users near them, fixed a critical vulnerability that could have de-anonymized users and let an attacker take control of a user’s account. The app, which was valued at $400 million but shuttered in April earlier this year, identified users by their user ID.
If an attacker secured access to that string of characters they’d be able view all of their posts, thought to be private.
Secret, another defunct app that let users anonymously share messages, encountered similar security issues before it shuttered in 2015.