CleverTap, a five-year-old US-based startup founded by three Indians is facing the heat after a pseudonymous researcher alleged that Indian PM Modi’s Namo app was disclosing private information like name, email, mobile number, device information, and location, to servers controlled by the firm without the user’s consent.
The hacker & researcher known as Elliot Alderson on twitter, in a series of tweets, pointed the privacy lapses in the NaMO App and alleged that mobile marketing platform CleverTap was the beneficiary of the data transfer.
Tweet 1-
1/ In this request, the @narendramodi‘s #Android #application sends silently and without the user’s consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website https://t.co/XTWhe9kc5T which is located in the US. pic.twitter.com/18Ie8JAuXM— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 2-
2/ As the application is available in Europe, it must comply with the European regulation called #GDPR. Since an IP address is considered as a personal data, the user must give his consent and must be able to opt out from this data collection. pic.twitter.com/yoJBQsCSMh
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 3-
3/ The @narendramodi‘s #Android #application does not meet these requirements and so is breaking this European regulation.
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 4-
4/ Moreover, not asking the user consent is a clear violation of the Google Play developer distribution agreement https://t.co/o9tmeWioKI pic.twitter.com/CFKQW2T0aY
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 5-
5/ The unique phone identifier send by the @narendramodi‘s #Android #application is composed of multiple device specific information: board, brand, name of the instruction set, name of the industrial design, manufacturer, model, name of the product pic.twitter.com/kO33eeFjGN
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 6-
6/ So if you install the @narendramodi‘s #Android #application on your phone, you are giving a lot of device information to @narendramodi without your consent
— Elliot Alderson (@fs0c131y) March 26, 2018
Now the Second part of the story includes the opposition party of India “The Indian National Congress” –
The same hacker Mr. Elliot Alderson has also pointed out that the opposition party in India “Congress” also revealed its data and sent them to a Singapore server. In the series of his tweets, he disclosed that the data encryption was not up to the level and can be easily hacked or breached,
Tweet 1-
Of course, I will check the With INC #android app too. I encourage talented Indian security researchers to do the same
— Elliot Alderson (@fs0c131y) March 25, 2018
Tweet 2-
I found something interesting on the With INC #android app, details will be published tomorrow ?
— Elliot Alderson (@fs0c131y) March 25, 2018
Tweet 3-
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 4-
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR
— Elliot Alderson (@fs0c131y) March 26, 2018
Tweet 5-
The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
Congress party deleted its app before leveling the charges against the governing party of India “BJP”. The latter, however, said the permissions required are all contextual and cause-specific and that the data is being used for analytics through third-party service. займ онлайн с 18 лет на картузайм финансзайм на киви без отказов займ срочно на кивизайм бесплатнозайм от частного лица на карту