The phone number and address book information is not stored by xPortal, it is processed locally and never leaves the user's phone. A one way hashing mechanism is being used when interacting with the user's phone number, as well as during the contacts matching process, therefore the user's privacy is protected.
To protect user privacy by preventing mass harvesting of phone numbers, the xPortal platform includes a service that obfuscates the information saved on the MultiversX blockchain. The service is enabled by default for all xPortal users.
If cleartext phone numbers were used as network identifiers directly, then anyone would be able to associate all phone numbers with blockchain accounts and balances. If instead, the identifier was the hash of the recipient's phone number, attackers would still be able to associate phone numbers with accounts and balances via a rainbow table attack.
The basis of the solution is to derive a user's identifier from both their phone number and a secret salt that is provided by the xPortal API. For each phone number, a unique salt is generated by xPortal API. In order to associate a phone number with a MultiversX blockchain address, the mobile wallet first queries xPortal API for the secret salt of that specific phone number. It then uses the salt to compute the unique identifier that is used on-chain.
Note: If you don't want those having your phone number in their address book to see your xPortal account and your wallet address you can toggle OFF "Friends visibility" from the Profile Info screen (Settings -> Privacy).