android

Payment and wallet apps are primarily built to perform operations like transferring money between wallets/bank accounts, recharging phones, etc. However some of these apps get to access to your sensitive information, like your contact list, which WiFi networks you’re on, your call record data, which apps you’ve installed, the microphone of your application, among other things. When installing an application, most users accept permission requests without reading them, and realising their implications.

Also Read: On Indian mobile banking apps and the sensitive user data they collect – Part 2

MediaNama looked into 12 different mobile wallets apps and reviewed Android permissions that these apps were seeking. We also spoke with Internet security consultant Akash Mahajan to understand how different Android permissions can gain access to sensitive user data. Based on this we narrowed down some privacy issues that these apps could pose to a user:

1. Read your Web bookmarks and history
Out of all the permission requests, the Paytm app on Android was the only application requesting access to “read your Web bookmarks and history”. None of the other wallet apps that MediaNama reviewed required this permission. Note that a Reddit user in April pointed out that an Uber app update requested same permission; upon flagging it to Uber, the company immediately took the permission down. More here

2. Read sensitive log data

What it means:  Every app logs device and app specific information every time it executes a command, completes an updates, or when a user logs-in with his User ID. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the log.

By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows the developer to determine that the cluster of users could be users in the same office/home/public location, according to Mahajan.

Apps requesting access to sensitive log data: PayUMoney, (P.S: MyJio, JioSecurity, JioSwitch also requests sensitive log permission)

3. Record audio

What it means: This permission simply allows an application record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, which means that the permission “would give a requesting application access to private user data or control over the device that can negatively impact the user.”

Apps requesting the permission: FreeCharge, Airtel Money, JioMoney Wallet

4. Modify Contacts

What it means: Although most mobile wallet apps requests permissions to only ‘read contacts’ information for the purpose making a recharge, or sending money, some apps might seek permission to modify or edit your existing contacts. This allows an application to write new contacts as well as modify existing ones. Android developer guide again classifies protections level for this permission as ‘dangerous’.

Apps requesting the permission: Paytm, FreeCharge, Vodafone M-pesa

5. Read call log, reroute outgoing calls, directly call phone numbers

What it means: ‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of call, and time when call was places. ‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.

Apps requesting access to call logs: FreeCharge, MobiKwik Lite
Apps requesting access to place calls: FreeCharge, JioMoney Wallet, State Bank Buddy Wallet
Apps requesting access to reroute/modify calls: FreeCharge

6. Read phone status and identity

What it means: The Android developer guide mentions that apps seeking this permission can gain access to information like “phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device”.  ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.

Apps requesting the permission: Almost all including Paytm, FreeCharge, MobiKwik, Oxigen Wallet, PauUMoney, JioMoney Wallet, Airtel Money, Vodafone M-pesa,  Idea Money, and Citrus Wallet.

7) Location tracking using GPS/telecom network

What it means:  Apps requesting these permissions allow it track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.

Apps requesting location tracking: All 12 apps that MediaNama reviewed requested access to “exact or precise location“.

Our Take (by Nikhil Pahwa)

Most users aren’t aware of the implications of permissions being taken by Wallet apps, and have no control over the data that is being collected. This is particularly significant, because apart from demographic and payment data, Wallet applications are in a position to collect a significant amount of behavioral information on users, which can be used to create granular profiles of users, and market services to them. There is also a greater security risk created, because of the volume of data being sought and possibly stores. Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored. This needs to be addressed, and quickly, as more people come online, and get connected to digital payments.

Tip: Here is how to revoke individual permission for each app installed on your Android phone. (Hat tip: @surinderxx)