Government Apps sending data to US firm without user consent
Security researchers have discovered that the official mobile app of Indian Prime Minister, Narendra Modi has sent user data to a US firm without user consent. On Android alone, the Prime Minister’s app has been downloaded over five million times. Commonly known as the NaMo app, it has received a severe backlash on social media and heightened criticism from the opposition party, Congress.
However, the ruling BJP is adamant that the data was only being used to improve user experience through analytics and denied all allegations. BJP also went ahead and alleged that the Congress app has also shared data with third parties violating user consent.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
“Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent.”
However, it has been changed to say,
“The following information may be processed by third-party services to offer you a better experience as stated above: name, email, mobile phone number, device information, location and network carrier.”
BJP’s in-charge of information technology has also pointed that Congress was sending data to an IP based out of Singapore. However, their website clearly mentions that user data may be shared with organizations with similar political views and volunteers to design campaigns, as opposed to the NaMo app. A Congress member has pointed out that the party app has discontinued sharing user data a long time back and it was only used to develop targeted social media campaigns. Now data is only collected for membership through an encrypted platform. However, the same security researcher who found vulnerabilities in the NaMo app has discovered that the Congress website is using HTTP to encode requests instead of HTTPS. Moreover, the researcher decrypted the data with much ease.
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR
— Elliot Alderson (@fs0c131y) March 26, 2018
In the past weeks, violation of user data and privacy has become a hot debate after the Facebook-Cambridge Analytica scandal. Data shared with third-party applications is prone to misuse and is an extreme violation of user consent and digital rights.