Cyber expert suggests 5 million Mitron app users are vulnerable (Express photo: Sneha Saha)
It is usual for app developers to buy source code for cheap and work on their own customisations and improvements to quickly launch an app. But in this hurry to cash in on the negative sentiments against TikTok, the creator of Mitron, which is hoping to offer an alternative for the Chinese short video platform, seems to have missed out on making necessary changes to the source code of TicTic, a TikTok ripoff created by Pakistan-based coding company Qboxus. A cyber expert now says it is risky to use the Mitron app in its present form.
Satyajit Sinha, cybersecurity researcher at Counterpoint told indianexpress.com: “It’s risky to use Mitron app given it doesn’t have any additional firewall or software security on top of the source code. The privacy policy is weak and that can put user data at risk in the long run.”
Irfan Sheikh of Qboxus from Lahore, the company that sold the source code to Shivank Agarwal — reportedly an IIT Roorkee student — too told indianexpress.com that “Mitron app has privacy issues because the app developer has not uploaded the privacy policy.” He said they do not encourage their buyers to just put it out there for public use as it as it is.
All attempts to contact Agarwal proved futile. The Mitron app now has over 5 million downloads with a 4.7 rating. Interestingly, the Qboxus website showcases Mitron as one of its best apps.
A few days back Sheikh had rubbished Mitron’s claims of being a “made-in-India” app. “We expect our customers to use our code and build something on their own,” he said. But Mitron’s developer, Sheikh added, has taken the exact product — TicTic, changed the logo and uploaded it on their store. “There is no problem with what the developer has done. He paid for the script and used it, which is okay. But, the problem is with people referring to it as an Indian-made app, which is not true especially because they have not made any changes,” Sheikh said.
According to Sheikh, Agarwal reached out to them to buy the source code of TicTic app and later launched it has Mitron in India. Agarwal purchased the code for $34, roughly Rs 2,500.
“Our company’s main goal is to build clones of trending mobile apps and we sell the code on code canyon. We have clones of Tinder, Badoo too available,” he said. Sheikh clarified: “Mitron has used their own servers so the data is stored on Mitron server and we have nothing to do there.”
Sinha said that while there is no issue in the source code coming from Pakistan, it should never have been used as it is. Given there are no changes to the algorithms there are chances that if Qboxus wants to sell the source code to a third party they can easily do that and then tap into the database of Mitron users, the expert explained.
Sinha also warned that there could also be a possibility that the company might push out malicious code or malware in a future update giving them the direct control of the app. He further said any app that asks for access to phone’s camera, microphone and location comes with a huge risk and provides access that can allow such apps to monitor users 24×7. “Not just Mitron, any app that asks for access to the camera, location and microphone is risky to use, including TikTok,” Sinha said.
Sheikh countered that it is wrong to think Qboxus can put data of millions at stake. “In simple terms, Qboxus just sells the source code of trending or famous apps. Qboxus has nothing to do with that buyer app after the purchase,” he told indianexpress.com, adding that they just create and sell templates.
“It’s up to each buyer to add security protection measures according to their needs, and make some additional customisations.”
Sheikh said that while his company does push out updates to its apps, it is up to the developer to include it in his app or not. “We will push out updates to fix bugs in TicTic app and since Agarwal has bought the license, he will also receive the updated code notification in their email from the codecanyon. After that, it’s up to him if he wants to push that update into Mitron or not. In short, once you purchase the license from codecanyon, the buyer receives the updates lifetime free of cost without paying additional money.”
Sheikh said Qboxus has many Indian customers such as Follow, Kidstok, and Hottocks — available on Google Play store.
Sinha, meanwhile, suggested Google should have a set of strict protocols to be followed before an app is listed on the Play store to avoid issues like this in the future.