Government Apps sending data to US firm without user consent

Security researchers have discovered that the official mobile app of Indian Prime Minister, Narendra Modi has sent user data to a US firm without user consent. On Android alone, the Prime Minister’s app has been downloaded over five million times. Commonly known as the NaMo app, it has received a severe backlash on social media and heightened criticism from the opposition party, Congress.

However, the ruling BJP is adamant that the data was only being used to improve user experience through analytics and denied all allegations. BJP also went ahead and alleged that the Congress app has also shared data with third parties violating user consent.

The allegation came to light when a security researcher discovered that the NaMo app was sending personal user information to a third-party domain. Once the domain was traced, it was found to be belonging to an American company. The domain belongs to Wiz Rocket Inc, a data analytics company based out of California running under another US-based company called CleverTap. CleverTap is a mobile marketing platform founded by three Indians and having offices in US and India. When the user was signing up for the app, it was never asked for the permission of data access which is a common practice of major application. Soon after the security researcher tweeted about the data violation, the NaMo app updated its privacy policy without releasing a statement of information. It is the same researcher who also found vulnerabilities in India’s National Identity Card project, termed the Aadhar Card.

When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf

— Elliot Alderson (@fs0c131y) March 23, 2018

After the backlash on social media, BJP admitted to sharing user data, however, they deemed it to be similar to Google Analytics that uses user data to offer contextual content. Their response in no way has addressed the issue of consent. The privacy policy previously said,

“Your personal information and contact details shall remain confidential and shall not be used for any purpose other than our communication with you. The information shall not be provided to third parties in any manner whatsoever without your consent.”

However, it has been changed to say,

“The following information may be processed by third-party services to offer you a better experience as stated above: name, email, mobile phone number, device information, location and network carrier.”

BJP’s in-charge of information technology has also pointed that Congress was sending data to an IP based out of Singapore. However, their website clearly mentions that user data may be shared with organizations with similar political views and volunteers to design campaigns, as opposed to the NaMo app. A Congress member has pointed out that the party app has discontinued sharing user data a long time back and it was only used to develop targeted social media campaigns. Now data is only collected for membership through an encrypted platform. However, the same security researcher who found vulnerabilities in the NaMo app has discovered that the Congress website is using HTTP to encode requests instead of HTTPS. Moreover, the researcher decrypted the data with much ease.

Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR

— Elliot Alderson (@fs0c131y) March 26, 2018

In the past weeks, violation of user data and privacy has become a hot debate after the Facebook-Cambridge Analytica scandal. Data shared with third-party applications is prone to misuse and is an extreme violation of user consent and digital rights.