Last time we talked about the latest fad among the social media users, i.e., Sarahah, and the man behind it. The app has so far recorded millions of downloads on the Apple Store, and the Google Store combined.
Once again the app is in talks among social media, but this time it’s the loophole that has been discovered by a senior analyst of Bishop Fox, Zachary Julian.
According to what Julian has mentioned in his reports, while the Sarahah app lets you know the honest feedbacks from your friends it also quietly harvests your phone contacts and uploads it to company servers. The data includes all your phone numbers and email addresses that have been stored in your phones’ address book.
Harvesting your contact list without your permission opens multiple security risks as the app can sell your data as a part of research to any statistics and research company.
The app has recorded nearly about 50 to 70 million downloads just on Google Play Store. You can easily anticipate what amount of data is at risk.
Just after this flaw was discovered, the creator of Sarahah tweeted that it was just a feature that was supposed to be removed by his partner who left. But nowhere he cleared the fact that why and where the data is being used and what is the authenticity of the servers used.
He also added that now the feature of recording your contacts has been removed but his claim is still unverified as security research companies have not said anything in their new reports.
The app clearly mentions when someone opts for finding your friends on Snapchat option that the contacts will be uploaded to its’ servers to improve your experience.
On a positive note, if a user wants to use Sarahah, he/she can use it through the website without downloading the service’s app, as the website doesn’t fetch any form of digital data.
Still, if Sarahhah continues to scoop in users’ data via an app, then the company would have to specifically inform the user on what data it’s going to upload and on which servers – to provide them with a reason that will be legitimate as well.