Narendra Modi app sharing user information without consent: Security researcher
What's the story
French security researcher Elliot Alderson, who's been in the news for discovering major security flaws in the Aadhaar app, has found out that the official Narendra Modi app on Android is allegedly sharing user information with a US-based company called CleverTap without their consent. The information being shared includes operating software, network type, carrier, e-mail, photo, gender, and name, he said.
Twitter Post
Information includes e-mail, photo, name
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
Information
CleverTap is a data analytics platform
On creating a profile on the app, the information is sent to a third-party domain called in.wzrkt.com., which belongs to CleverTap. "According to their description," #CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users," Alderson said.
Details
The data is secured, not used for remarketing: App developers
However, the app's developers reached out to Alderson clarifying that they use CleverTap "only as an analytical platform" and that "the data is not used for remarketing" and is secured by the app. CleverTap doesn't have access to it. To this Alderson said, "Using an analytics solution is standard in the mobile development world. However, sharing personal data without the user consent is illegal."
Twitter Post
The app team reaches out to Alderson
One minute after my post on @narendramodi's #android app, the "App team" created a new Twitter profile to discuss with me. We had a nice discussion. In order to be fair, here their first answer. pic.twitter.com/4JbdoSefpt
— Elliot Alderson (@fs0c131y) March 24, 2018
Background
You don't have to provide personal info to access app
The Narendra Modi app allows users to keep updated on the government's various efforts and initiatives and provide suggestions on the same. The app notes, "No permission is compulsory on the NM app. You can access the app even as a guest without entering your email address or phone. This is unlike most other Apps, where some sort of info is required."
Information
Earlier, Alderson had hacked Aadhaar to access 22,000 card details
Earlier, Alderson had hacked into the Aadhaar app within a minute and reportedly gained access to 22,000 Aadhaar card details. "These cards can be found on the internet. They are not on the UIDAI server. Everything is public, no hack is required," he said.