wordpress blog stats
Connect with us

Hi, what are you looking for?

On UPI apps and the sensitive user data they collect – Part 3


Recently, the National Payments Corporation of India (NPCI) unveiled its flagship payments architecture named Unified Payments Interface (UPI) which went live with 21 banks. UPI seeks to simplify how online payments are made in the country by removing the messy ‘two-factor authentication’ and the need to recollect IFSC, bank a/c numbers every time you need to make a payment online. How this works is explained here.

The UPI is touted as gateway to India’s cashless switch, at a time when the government has initiated a massive demonetization move which has drawn both criticism and approval from many. MediaNama reviewed 20 different Android-based UPI apps developed by both banks and non-baking developers to examine if these apps are violating user privacy or collecting sensitive information. Although most apps seems safer, some of them have been found to request permissions to record audio, retrieve info about other apps running on your phone, and even make calls (we are not sure why).

Also Read:
On Indian Mobile wallet apps and the sensitive user data they collect – Part 1
On Indian mobile banking apps and the sensitive user data they collect – Part 2

1)Read sensitive log data

As we explained in the previous posts, every app generates logs details whenever it executes a command, connects to a network, completes an update. An app requesting to read log data can read sensitive info like MAC ID, IMEI no, saved WiFi networks info, and details about other apps installed on the device. In many cases, a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the logs generated.

Advertisement. Scroll to continue reading.

By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows a developer to determine that the cluster of users could be users in the same office/home/public location, security consultant Akash Mahajan told MediaNama in an interview when we asked him about the permission.

Apps requesting access to sensitive log data:  Trupay India (not a bank-owned app) P.S: MyJio, JioSecurity, JioSwitch also requests sensitive log permission.

2)Record audio

This permission simply allows the requesting application to record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, meaning the permission “would give a requesting application access to private user data or control over the device that can negatively impact the user.” It’s really not clear why a UPI money transfer app would want to gain access to a user’s microphone.

Apps requesting the permission: YES PAY Wallet (YES Bank)

3)Retrieve running apps

This permission allows an app to find out what other applications are currently/recently running on your phone on real-time basis, and different sub-tasks (activities running in an app) on the phone. Android developer guide mentions that this permission was discontinued since roll out of Android Lolliop due to security risks. The permission can however be granted and work on phones with Android version below Lollipop. Note that a handful of UPI apps that MediaNama reviewed did not want access to background apps, which means that a UPI-based payment can obviously be completed without accessing your task list.

Advertisement. Scroll to continue reading.

Apps requesting the permission: Axis Pay UPI App, UCO UPI (UCO Bank), Allahabad Bank UPI, CSB-UPI (Catholic Syrian Bank), UPI Social Payments & Split (Non-bank owned), Lotza UPI (Federal Bank), YES PAY Wallet (YES Bank)

4) directly call phone numbers

Some UPI apps requested permission to ‘directly call phone numbers’, which is granted under Android’s telephony permission allowing the app to directly call phone numbers (and at times without user knowledge). Although a bunch of UPI-based apps wanted permission to make calls, many did not request such a permission denoting that i) developers could have been careless while writing code ii) UPI-payments via apps can be done without access to make calls.

Apps requesting to read call logs: PNB UPI, Trupay India (non-bank owned), United UPI (United Bank of India), UCO UPI (UCO Bank), VIJAYA UPI (Vijaya Bank), SIB M-Pay (South Indian Bank), UPI Bank Transfer with Friends (non-bank owned), Allahabad Bank UPI, CSB-UPI (Catholic Syrian Bank)

5) Location tracking using GPS/telecom network

What it means:  Apps requesting these permissions allow it track precise location of a user (down to coordontates) via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.

Advertisement. Scroll to continue reading.

Apps requesting location tracking: 18 of the 19 UPI apps (all except SBI Pay ) that MediaNama reviewed requested access to “exact or precise location” which requested for tracking via network:

Trupay India (not a bank-owned app),
YES PAY Wallet (YES Bank)
Axis Pay UPI App,
Allahabad Bank UPI,
CSB-UPI (Catholic Syrian Bank),
UPI Social Payments & Split (Non-bank owned),
Lotza UPI (Federal Bank),
United UPI (United Bank of India),
VIJAYA UPI (Vijaya Bank),
SIB M-Pay (South Indian Bank)
Eazypay (ICICI bank),
Maha UPI (Maharashtra bank),
Andhra Bank ONE (Andhra Bank),
Canara Bank UPI- eMpower,
Union Bank UPI App,
KBL SMARTz (Karnataka Bank)

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ