After the security flaw was uncovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a "find your friends feature".
While Sarahah does ask for permission to access a user's contacts, it does not specify that the same are being uploaded and stored on its servers.
Julian added that the app does this all over again if you use it after a break. App's feature to send and receive anonymous messages is what caught the users' eye. The app is however, collecting more than feedback messages. "Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data", he said. At the same time, it is also worth noting that the app does work well even when users don't allow the app to access contacts. When Julian tried rebooted the app after a gap on two days, all his contacts were pushed to the Sarahah servers again.
However, on the latest Android versions and iPhones, it is asking for a prompt to "access contacts", but without any justification of why it's doing so. After Intercept pointed out the behaviour, he stated "the data request will be removed on next update" and that Sarahah's servers now don't host contacts. He claims that the database doesn't "host contacts" at the moment. On both iOS and Android platforms, Sarahah asks for permission to access each user's phone contacts. However this does not translate to justifying the uploading of contacts without user permission.
One of the most downloaded apps, Julian estimates that it is possible that Sarahah may have already harvested hundreds of millions of phone numbers and email addresses. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1.
Still, if Sarahah intends to continue scooping up user's contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going - and to provide them with a legitimate reason as to why the app actually needs it.
For those who really want to use Sarahah and are concerned about their privacy can take comfort from the fact that they do not require to download the app to use the service. Over there you can manually disable the permission to access contacts.