More Indian Government Data Security Vulnerabilities AllegedResearcher Claims NaMo App, National Congress App, Have Security Weaknesses
A security researcher claims that Prime Minister Narendra Modi's app, called the NaMo app, is vulnerable and has been sharing information about its users, without their permission, to a third party in the United States.
The researcher, who is apparently from France and goes by the Twitter name Elliot Alderson, says in his tweets that the application is sending personal information of its users, including email, photos, gender and name, to the domain in.wzkrt.com, which is owned by the U.S. analytics firm CleverTap. Earlier, the researcher exposed various vulnerabilities on government websites and in Aadhaar.
The NaMo app provides updates about the prime minister and his initiatives and offers an opportunity to receive messages and emails directly from him.
"Certain information may be processed by third-party services to:
- Offer you the most contextual content;
- Show content in your own language;
- Update you when the PM is in your state;
- Give you a unique, personalized experience according to your interests;
- Give you important updates on email and sms."
The policy continues: "The following information may be processed by third party services to offer you a better experience as stated above:
- Name, email, mobile phone number;
- Device information, location and network carrier."
ISMG contacted the Ministry of Information Technology as well as CleverTap to get their comments on the matter, but did not receive any response.
In another revelation, Alderson claims that the app of the Indian National Congress, the party in opposition, doesn't use proper encryption. When a user signs up for the Congress app, unencrypted personal data is routed to the app's servers in Singapore, potentially exposing it.
After the researcher's revelation, the Indian National Congress, deleted the app from Google Playstore, but it refuted the researcher's findings.
Divya Spandana, the Congress' head of social media and digital communication, said the membership URL tweeted by Alderson was outdated. "It was primarily a membership app. Those who had it were using it for social media updates. Five months ago, we transitioned from app to website for membership. People on the app were still being led to the old membership URL which was http://membership.inc.in, which caused this confusion. So we took it down," Spandana told the Times of India.
Reacting to the app being deleted, Alderson told the Times of India: "I think they got scared after my first tweet saying that I will look into their app".
Ironically, the government of India on March 22 lambasted Facebook for a breach of privacy.
Security of Apps
In light of the latest vulnerability revelations, some security leaders are questioning the overall security posture of India's government-related apps.
"The government and other political parties continue to disappoint us," says Dinesh O. Bareja, COO at Open Security Alliance, an information security research company. "They continue to make a mockery of themselves in front of the world. On the one hand they are criticizing Facebook, on the other they are having the same malpractices."
Privacy "is very easy to preach but difficult to practice," says Bareja, who claims the government is "conveniently silent on its own misdoings. Nothing will improve if the government doesn't lead by example."
Rama Vedashree, CEO at Data Security Council of India, a not-for profit industry body on data protection in India, says security is "collective responsibility of stakeholders spanning large internet companies, government agencies, startups, end users and regulatory agencies."
The latest concerns raised about Indians' privacy have many security practitioners calling for stringent privacy regulations for government and private enterprises alike. The Supreme Court last year ruled that privacy is a fundamental right.
"It's about time to come up with a strong privacy law, or else data leaks will keep happening," says a Bangalore-based practitioner who works for a bank, who asked not to be named.
Prashant Mali, cyber law advocate, says the Election Commissioner must also take strict action.
"It's time to review the entire governance and policies around data protection and privacy and reviews of policies and practices both internal and the third- party ecosystem that rides on their platform," Vedashree says. "It's also a timely reminder for global internet companies and government agencies on their responsibilities to design trustworthy platforms and apps keeping users center-stage, and demonstrate by example to win and retain user trust."
Although these incidents are creating awareness about privacy, "we need to strengthen our legal framework by adopting a federal law like GDPR [EU's General Data Protection Regulation] to bring about a transformation in management of privacy," says Ganesh Viswanathan, CISO at Quatrro, a global services company.
Some security experts advise that such a regulation in India should require that:
- Advance notice about data being collected be provided;
- Users grant permission before their data is shared with third parties;
- Information collected be limited to the function or use of the app;
- Users be enabled to access and correct information collected by app developers;
- App developers provide transparency on the use of information gathered.