Narendra Modi app sharing user information without consent: Security researcher

By Bhavika Bhuwalka

Mar 25, 2018

09:16 am

What's the story

French security researcher Elliot Alderson, who's been in the news for discovering major security flaws in the Aadhaar app, has found out that the official Narendra Modi app on Android is allegedly sharing user information with a US-based company called CleverTap without their consent. The information being shared includes operating software, network type, carrier, e-mail, photo, gender, and name, he said.

Twitter Post

Information includes e-mail, photo, name

When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf

— Elliot Alderson (@fs0c131y) March 23, 2018

Information

CleverTap is a data analytics platform

On creating a profile on the app, the information is sent to a third-party domain called in.wzrkt.com., which belongs to CleverTap. "According to their description," #CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users," Alderson said.

Details

The data is secured, not used for remarketing: App developers

However, the app's developers reached out to Alderson clarifying that they use CleverTap "only as an analytical platform" and that "the data is not used for remarketing" and is secured by the app. CleverTap doesn't have access to it. To this Alderson said, "Using an analytics solution is standard in the mobile development world. However, sharing personal data without the user consent is illegal."

Twitter Post

The app team reaches out to Alderson

One minute after my post on @narendramodi's #android app, the "App team" created a new Twitter profile to discuss with me. We had a nice discussion. In order to be fair, here their first answer. pic.twitter.com/4JbdoSefpt

— Elliot Alderson (@fs0c131y) March 24, 2018

Background

You don't have to provide personal info to access app

The Narendra Modi app allows users to keep updated on the government's various efforts and initiatives and provide suggestions on the same. The app notes, "No permission is compulsory on the NM app. You can access the app even as a guest without entering your email address or phone. This is unlike most other Apps, where some sort of info is required."

Information

Earlier, Alderson had hacked Aadhaar to access 22,000 card details

Earlier, Alderson had hacked into the Aadhaar app within a minute and reportedly gained access to 22,000 Aadhaar card details. "These cards can be found on the internet. They are not on the UIDAI server. Everything is public, no hack is required," he said.