Narendra Modi app sharing user information without consent: Security researcher
French security researcher Elliot Alderson, who's been in the news for discovering major security flaws in the Aadhaar app, has found out that the official Narendra Modi app on Android is allegedly sharing user information with a US-based company called CleverTap without their consent. The information being shared includes operating software, network type, carrier, e-mail, photo, gender, and name, he said.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
On creating a profile on the app, the information is sent to a third-party domain called in.wzrkt.com., which belongs to CleverTap. "According to their description," #CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users," Alderson said.
However, the app's developers reached out to Alderson clarifying that they use CleverTap "only as an analytical platform" and that "the data is not used for remarketing" and is secured by the app. CleverTap doesn't have access to it. To this Alderson said, "Using an analytics solution is standard in the mobile development world. However, sharing personal data without the user consent is illegal."
One minute after my post on @narendramodi's #android app, the "App team" created a new Twitter profile to discuss with me. We had a nice discussion. In order to be fair, here their first answer. pic.twitter.com/4JbdoSefpt
— Elliot Alderson (@fs0c131y) March 24, 2018
The Narendra Modi app allows users to keep updated on the government's various efforts and initiatives and provide suggestions on the same. The app notes, "No permission is compulsory on the NM app. You can access the app even as a guest without entering your email address or phone. This is unlike most other Apps, where some sort of info is required."
Earlier, Alderson had hacked into the Aadhaar app within a minute and reportedly gained access to 22,000 Aadhaar card details. "These cards can be found on the internet. They are not on the UIDAI server. Everything is public, no hack is required," he said.
