Sarahah Mobile App Uploading Users’ Contacts to Remote Servers

Bishop Fox researcher Zachary Julian recently discovered that the popular messaging app, Sarahah, uploaded users’ contact lists to a remote server. Sarahah advertises the ability for users to send anonymous messages to other users, enticing them to give and receive “honest feedback” to friends. The app’s developer, Zain al-Abidin Tawfiq, located in Saudi Arabia, first defended the data collection via his Twitter account, but later claimed that the app’s database does not contain any contact information and eventually promised to remove the data collection feature in the next update after privacy enthusiasts questioned his intentions and justifications. The NJCCIC recommends users consider deleting the Sarahah app from mobile devices and advise people in their contact lists to be on alert for social engineering scams, such as phishing or vishing, that could result from the leak of this data. In addition, all mobile device users are encouraged to exercise caution before downloading apps, paying close attention to any permissions requested by the app, and avoiding the installation of applications that request excessive and unjustified access to the device. The NJCCIC would also like to remind parents that anonymous messaging apps such as Sarahah could encourage and enable cyberbullying and other illicit activity amongst children and teenagers.