wordpress blog stats
Connect with us

Hi, what are you looking for?

On Indian Mobile wallet apps and the sensitive user data they collect – Part 1


Payment and wallet apps are primarily built to perform operations like transferring money between wallets/bank accounts, recharging phones, etc. However some of these apps get to access to your sensitive information, like your contact list, which WiFi networks you’re on, your call record data, which apps you’ve installed, the microphone of your application, among other things. When installing an application, most users accept permission requests without reading them, and realising their implications.

Also Read: On Indian mobile banking apps and the sensitive user data they collect – Part 2

MediaNama looked into 12 different mobile wallets apps and reviewed Android permissions that these apps were seeking. We also spoke with Internet security consultant Akash Mahajan to understand how different Android permissions can gain access to sensitive user data. Based on this we narrowed down some privacy issues that these apps could pose to a user:

1. Read your Web bookmarks and history
Out of all the permission requests, the Paytm app on Android was the only application requesting access to “read your Web bookmarks and history”. None of the other wallet apps that MediaNama reviewed required this permission. Note that a Reddit user in April pointed out that an Uber app update requested same permission; upon flagging it to Uber, the company immediately took the permission down. More here

2. Read sensitive log data

Advertisement. Scroll to continue reading.

What it means:  Every app logs device and app specific information every time it executes a command, completes an updates, or when a user logs-in with his User ID. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the log.

By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows the developer to determine that the cluster of users could be users in the same office/home/public location, according to Mahajan.

Apps requesting access to sensitive log data: PayUMoney, (P.S: MyJio, JioSecurity, JioSwitch also requests sensitive log permission)

3. Record audio

What it means: This permission simply allows an application record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, which means that the permission “would give a requesting application access to private user data or control over the device that can negatively impact the user.”

Apps requesting the permission: FreeCharge, Airtel Money, JioMoney Wallet

Advertisement. Scroll to continue reading.

4. Modify Contacts

What it means: Although most mobile wallet apps requests permissions to only ‘read contacts’ information for the purpose making a recharge, or sending money, some apps might seek permission to modify or edit your existing contacts. This allows an application to write new contacts as well as modify existing ones. Android developer guide again classifies protections level for this permission as ‘dangerous’.

Apps requesting the permission: Paytm, FreeCharge, Vodafone M-pesa

5. Read call log, reroute outgoing calls, directly call phone numbers

What it means: ‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of call, and time when call was places. ‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.

Apps requesting access to call logs: FreeCharge, MobiKwik Lite
Apps requesting access to place calls: FreeCharge, JioMoney Wallet, State Bank Buddy Wallet
Apps requesting access to reroute/modify calls: FreeCharge

Advertisement. Scroll to continue reading.

6. Read phone status and identity

What it means: The Android developer guide mentions that apps seeking this permission can gain access to information like “phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device”.  ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.

Apps requesting the permission: Almost all including Paytm, FreeCharge, MobiKwik, Oxigen Wallet, PauUMoney, JioMoney Wallet, Airtel Money, Vodafone M-pesa,  Idea Money, and Citrus Wallet.

7) Location tracking using GPS/telecom network

What it means:  Apps requesting these permissions allow it track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.

Apps requesting location tracking: All 12 apps that MediaNama reviewed requested access to “exact or precise location“.

Advertisement. Scroll to continue reading.

Our Take (by Nikhil Pahwa)

Most users aren’t aware of the implications of permissions being taken by Wallet apps, and have no control over the data that is being collected. This is particularly significant, because apart from demographic and payment data, Wallet applications are in a position to collect a significant amount of behavioral information on users, which can be used to create granular profiles of users, and market services to them. There is also a greater security risk created, because of the volume of data being sought and possibly stores. Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored. This needs to be addressed, and quickly, as more people come online, and get connected to digital payments.

Tip: Here is how to revoke individual permission for each app installed on your Android phone. (Hat tip: @surinderxx)

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ