Prime Minister Narendra Modi’s official app, which has been downloaded over five million times on Android devices, have been found sending user data to a US-based company without taking the user’s consent. The French security researcher, who goes by the alias Elliot Alderson, highlighted the vulnerability on Twitter.
In a series of tweets, the security researcher highlighted that the NaMo app was sending personal user data to a third-party domain that was traced to an American company. He later tweeted that the app had “quietly” updated its privacy policy after his tweets.
NDTV claims to have verified Alderson’s claims by consulting experts who found that the app is indeed sending user data to a website called in.wzrkt.com. The app was sending information such as the name, email address, gender and city. However, the app never asked for permission before sending the data, which is what other apps usually do.
The domain name was found to have belonged to a company called WizRocket Inc, which NDTV claims, is registered in California. A quick Google search shows WizRocket is a data analytics platform developed by another US-based firm called CleverTap.
CleverTap was founded by three Indians in 2013 and has offices in several cities across the United States and in India including New Delhi, Mumbai and Bengaluru. According to CleverTap’s website, it is a mobile marketing platform that “visually builds and delivers omnichannel campaigns based on user behaviour, location and lifecycle stage.”
The data breach is alarming, especially in the context of the ongoing Facebook scandal where data on 50 million users were harvested by a seemingly harmless quiz app and sold to Cambridge Analytica, a firm specialising in using psychographic information to boost election campaigns.