Researcher catches the app copying his entire address book, in real-time.

There has been a lot of news about a compliments-and-criticisms app, which at one point reached number one in the App Store for both iPhone and iPad. Essentially, the stated premise of Sarahah – which means “frankness” – is to give users the ability to leave happy little messages of praise for one of their friends… or anonymous tips on what the victim needs to work on to improve his life.

What could possibly go wrong? Here’s an app that lets you wake up to hundreds of messages telling you that you’re fat, ugly, you smell bad, your teeth are disgusting, you don’t pull your weight at work… and then magnify that exponentially when you’re a teenager receiving these little day brighteners.

A senior security researcher at Bishop Fox, Zachary Julian actually caught the Sarahah app in real-time absorbing his entire address book with phone numbers and email addresses, and then uploading it to a server

A senior security researcher at Bishop Fox caught Sarahah in the act.

Taken date seen in real time

Obviously, the outcry from parents and psychiatrists has been direct and loud, but there’s a new expert weighing in on the problem. A senior security researcher at Bishop Fox, Zachary Julian actually caught the app in real-time absorbing his entire address book with phone numbers and email addresses, and then uploading it to a server. Julian also found the process repeated a few days later after he had not used the app in that time.

On Android the contacts theft was seamless and running in the background; Julian had a software suite installed that showed him the process. When he used the app on iOS, though, a notification alerted him to the request for permission to access the contacts list.

It wasn’t me!

The app’s creator, Zain al-Abidin Tawfiq, tweeted the explanation after he was contacted about this little feature. While claiming that it was included in order to power a non-existent “find your friends” option in the app, he went on to blame his former partner on the project, saying that individual was supposed to remove the data gathering functionality but didn’t do it. He went on to claim that Sarahah does not store any of the users’ personal information.

Monetization strategy

As always, when someone launches a free app, there’s got to be a reason. In this case, the potential to sell entire address books for the 18 million or so people who’ve downloaded the app so far sounds like a pretty tidy monetization strategy.

UPDATE: In response to the criticism, on August 27 Tawfiq tweeted:  “The database doesn’t currently host contacts and the data request will be removed on next update.”