Upstart social media app Sarahah has already produced its fair share of controversy. The latest stems from the app’s practice of collecting user information, including contacts, to be used for a feature that does not yet exist.

According to Zachary Julian, a security researcher at IT security consulting firm Bishop Fox, the anonymous people-rating application has taken to collecting and uploading tons of private information from its users.

Both the Android and iOS version of the applications have the ability to collect and send “every phone number, email address, and associated names” on a device to Sarahah’s servers, according to Julian’s research.

The collection process does include a prompt for users on iOS and Android 6.0 or higher which appears after the app is installed and asks for access to contacts on the phone.

For those running Android 5.0 or earlier—over 67 percent of all Android devices still operate on one of these earlier versions of the mobile OS—there is no prompt beyond the list of permissions the app requires that is displayed in the Google Play Store.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

In either case, it’s likely that users of Sarahah permit access to their contacts without giving it second thought. It’s a common request for apps, especially social platforms that often want to connect users with their friends who also use the service.

Zain al-Abidin Tawfiq, the developer who built Sarahah, claimed the contact collection process was for exactly that purpose. In a tweet, the app creator wrote Sarahah asked for contacts as part of a “find your friends” feature.

Tawfiq also admitted in another tweet that Sarahah doesn’t actually have a find your friends feature for the time being. According to the developer, the feature was delayed to a “technical issue” and the database that would store the contacts of its users is currently empty—suggesting the app never really collected that information.

Users and security experts took issue with the explanation, noting that there was no reason for the app to collect contacts or access address books before the feature that information was supposedly being used for was ready.

The fact the contact database is supposedly empty also doesn’t mean that data wasn’t collected by the app. It’s possible the app is hanging onto that user information for other purposes including selling it to third-party marketers.

From the jump, a find your friends feature doesn’t make a lot of sense for Sarahah in the first place. The app is intended to be an anonymous review site where anyone can leave a comment about another person. The contacts feature might help give away who left a comment, defeating the anonymity of the app.

Regardless, the security concerns raised by the app’s practices are real. Sarahah is currently one of the top most-downloaded apps in the iOS App Store and has received as many as 50 million downloads on Android devices.

While the app’s developers have promised to remove the request for contacts in subsequent versions of the app, it’s unclear just how many people already submitted their data and how that information may be used without their knowledge.