Yael Grauer, writing for The Intercept:
Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book.
This behavior seems to be all too common lately and, while most apps ask for permission to access contacts, it’s worth bearing in mind that they may not need that access. Additionally, once that access is granted, it isn’t always clear what’s actually done with the data.1 If an app asks for access to sensitive data, it’s worth considering what they intend to use it for and how securely it might be stored should they copy it off of your device.
Update: apparently the app is going to be updated to discontinue this behavior. Better late than never, I suppose.
This all assumes the app actually adheres to the platform rules requiring that they ask for permission to access this (or any other) device data. ↩