Sarahah compromising users’ privacy covertly.

Rishabh Maurya
Aug 28, 2017 · 2 min read
Courtesy: PewResearch

Anonymity do comes at a cost. And if you are the one who has been victim of mass hysteria called “Sarahah”, this report will be an eye-opener. Initially,it may seem to be a platform where a person can know general perception of people who might know him/her, anonymously. But behind the facade of anonymous feedback, it is not only uploading your contacts but also emails for seemingly no logical reason at all.

There is a feature called “Find your friends” which is still undeveloped so there is no point of accessing contacts of user for any positive reason at all. This was first pointed by Zachary Julian, a security analyst, as reported in The Intercept. He used Burp Suite, a network security testing tool, for intercepting the data sent by the Sarahah app. He was surprised to see the type of data sent by the app.

After reading his article, I tried to decompile the app(version:1.0.08) and to my surprise it didn’t even take 5 sec for me to decompile it.This app wasn’t even obfuscating the app using ProGuard or DexGuard. Speaking in layman’s terms anyone with little knowledge of reverse engineering apks can get the whole source code in few minutes while following the doctrine of kaizen.

There is a class named GetContactTask.java in commons subpackage of the source code which is responsible for uploading the contacts. Following is the snippet of the same:

private void uploadPhoneList(HashMap<String, String> phoneMap) {
List<PhoneNameDetails> newContacts = new ArrayList();
PhoneList phoneList = new PhoneList();
for (Entry<String, String> e : phoneMap.entrySet()) {
PhoneNameDetails phoneNameDetails = new PhoneNameDetails();
phoneNameDetails.setName((String) e.getValue());
phoneNameDetails.setPhone((String) e.getKey());
newContacts.add(phoneNameDetails);
}
phoneList.setNewContacts(newContacts);
phoneList.setOldContacts(new ArrayList());
((AuthAPI) SarahahService.getInstance().getRetrofitAPIHandler().create(AuthAPI.class)).uploadPhones(phoneList).enqueue(new Callback<StatusResponse>() {
public void onResponse(Call<StatusResponse> call, Response<StatusResponse> response) {
if (response.isSuccessful() && ((StatusResponse) response.body()).status) {
GetContactTask.this.isPhoneListUploaded = true;
if (GetContactTask.this.isEmailListUploaded) {
GetContactTask.this.cancel(true);
}
}
}
public void onFailure(Call<StatusResponse> call, Throwable t) {
}
});
}

Retrofit, a type-safe HTTP client by Square, is used for writing the networking client. The data is uploaded using POST method which is evident from AuthAPI.java class of user subpackage.

Uploading contact details is not so uncommon in apps but it should not be done in clandestine manner. Users must be informed of data that is collected from them and that too should be used in a legitimate manner. In any way, the users tend to be unhappy when they come to know how their private data is compromised .

I would like to conclude with a caveat:

“It’s dangerous when people are willing to give up their privacy.”-Naom Chomsky.

)

Rishabh Maurya

Written by

Android enthusiast | Harcourtian | Software Engineer @ Mindfire Solutions, Noida.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade