In a recent report by , Sarahah app that’s become everyone’s favourite in the past few weeks and is aimed at giving a user constructive criticism by his/her peers was caught red-handed when a user discovered it collecting private information. Zachary Julian who is a senior security analyst at Bishop Fox installed the app on his Samsung Galaxy S5 which was running Android 5.1.1 Lollipop. What’s special about this smartphone is that Zachary had BURP Suite pre-installed on the phone which monitors traffic coming in and going out of the handset.
That is when he fired up Sarahah and found out that the app started uploading his data that included phone numbers and email to its servers. On iOS though, a pop-up message appears as he starts the app, which asks his permission to access the contacts. After The Intercept’s story, Zain al-Abidin Tawfiq, the brainchild behind Sarahah revealed in a tweet that the app asks for contacts as a result of a “find your friends” feature that couldn’t make it to the app in time due to some technical issues along with the fact that his partner whom he had stopped working with was supposed to take care of removing this issue from the app. Zain also said that the app doesn’t store any private information in its database.
Android 6.0 Marshmallow onwards, Android has introduced a micro-managed permissions options that ask users to allow a third-party app to read data from the smartphone among other things.
This particular incident also sheds light on the fact that most people do not simply care about the app asking them for permissions to access private information and they just allow it to read the data. Zain might be giving a valid reason for the app to pick up a user's data but we will never know for sure.