How Sarahah is playing with your privacy?

How Sarahah is playing with your privacy?

Add Comment , Edit


These days Sarahah is one of the most common app which is being used by us. So following the trend I also thought to install the same on my phone. But then I thought why not dig into the app and find out  it’s working before blindly installing in my phone. I installed the same in my Genymotion emulator, started  my static and dynamic tests.

I read the Google app store pages to download the very same app for my emulator.as every android app comes with a sets of permission list which it ask from its users. The Permission set are broadly defined in the file “Androidmanifest.xml”

I dissemble the application to see that file and  list all permission for you below, by going through it anyone could easily figure out that what kind of permission it will take from its users?









So file above shows that it will ask for permission to use the camera, read your contact, Access your Internet State. Now in the first look it appears like any other apps so I thought to look at source code of application.

During code analysis  following code caught my attention and I thought why it asking for phone list and email list .



Honestly In first go I dint get it very well, so I thought let’s try to save a fake contact in my emulator and fake email corresponding to the mobile number.

So I added two contact in emulators and install Sarahah.  

To my utter surprise once you make login the app first issue an auth token (Which is common practice by android app for maintaining session),then it mads two “POST “ calls on below URLS.


 


https://www.sarahah.com/api/account/phonecontacts
https://www.sarahah.com/api/account/emailcontacts


What they are taking is shocking without giving any warning to users for sharing their contact, app is just pushing the contact and email to its server. Which is a big privacy breach to  innocent users. 
Our favourite app is stealing our information which we don’t want to.

  Every time you make a login to app it re-initate the request to fetch contacts via calling URLS above.

so its clear that any app which catches our interest and claim to offer us some attractive things ,we must think before what they will take in-lieu of offerings.

Don’t have much time to expose other details of app, which I am planning to send to app owners. 

Hope you like this short writeup….signing off…
SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )