The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.
While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.