Hit App Sarahah Quietly Uploads Your Address Book

An anonymous reader shares a report: Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google's online stores, making it the No. 3 most downloaded free software title for iPhones and iPads. Sarahah bills itself as a way to "receive honest feedback" from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information. Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah is uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

Re:Remember, the Walled Garden is for you safety

[JaredOfEuropa]

Nope. At least on iOS the app cannot access your address book without you giving it explicit permission (apparently also the case on newer version of Android according to the article). Neither can it access anything else. There also seems to be much less worry about malware on iOS; most BYOD schemes I've seen require virus scanners, sandboxing and/or monitoring software on Android, but only require a strong PIN on iPhones (or the fingerprint scanner)

By the way, accessing the address book in order to find out if any of your friends are making use of the service is a legitimate reason to access the address book. I suspect it's an important reason for WhatsApp to become as popular as it did, since you didn't need to ask your friends if they signed up and what their handle was. But for this very reason you would expect Apple and Google to come up with a way to match friends on your address list without giving them full access, for example by providing a function that gives you a unique (for your service) user ID for each contact, by hashing a phone nr after salting it with the App ID or some such. That way the app can poll the service to see who signed up without requiring access to the actual address book.