Sarahah, the anonymous feedback app that recently went viral, has reportedly been silently collecting users' phone contacts data, without the knowledge of its users. Once launched, the app reportedly harvests all phone numbers and email addresses stored on users' phone contacts, without making any disclosure on the data collection.

According to Bishop Fox security researcher Zachary Julian, who first spotted Sarahah's data collection, the app collects data from both Android and Apple smartphones, The Intercept reported. Zain al-Abidin Tawfiq, the app's founder took to Twitter to confirm Sarahah's data collection, adding that the app was harvesting the data for a "find your friends feature", which was supposed to be integrated into the app but was "delayed due to a technical issue".

He told The Intercept that a partner of the app was supposed to remove the data collection feature but the app "missed that" adding that Sarahah has since removed it from its servers and does not store users' contacts in its databases. However, there is no way yet to verify Tawfiq's claims.

"Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data," said Sudo Security Group president Will Strafach. "Additionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it and there is no reliable way to tell if the data is being handled safely on the server's side, and that is the most important part."

Sarahah is estimated to have been downloaded by over 18 million people worldwide from Apple and Google's online stores and until recently, it reportedly ranked number three on the most downloaded free app for iPhones and iPads.

According to Julian, Sarahah's data collection raises privacy concerns, especially given its popularity. Although the app does seek permission to access users' phone data, it refrains from disclosing what kind of data it collects. "The privacy policy specifically states that if it plans to use your data, it'll ask for your consent," Julian said.

"Upon logging into the app, Sarahah will attempt to send all phone and email contacts outbound. On iOS and Android 6+, the operating system will prompt the user before allowing access to the phone's contacts," Julian wrote in a blog. "Phones running Android 5 and below, of which there is still a significant market share, will have no further prompt about accessing contacts beyond the Play Store permissions during installation. It's likely that most users permit access to their contacts without considering how this data may be used."

Sarahah's popularity skyrocketed in the US, UK and other western as well as Asian countries earlier this year, after Arab expats in Canada began using the app, Mashable reported. However, the app's rapid rise in popularity also raised concerns about it being abused, specifically in propagating cyberbullying.


This article has been updated to include an excerpt from Bishop Fox's official blog on Sarahah's data collection.