India’s telecom regulator TRAI recently launched an app for collecting feedback regarding call quality straight from users and a different app for testing data download speeds directly from users, as well as a Do No Disturb (DND) app for filtering spam. However, while taking a closer look at the Android permissions requested by TRAI’s apps, there are requests made for accessing sensitive information like location, contacts, call logs and even for re-routing outgoing calls.
Although some risky permissions might be required for running the app (like location, call logs, etc.), TRAI does not mention whether it stores sensitive data on its servers or internally within users devices. It, however, does mention that submitting a feedback via the app is not equal to registering a complaint. “The (speed test) app does not send any personal user information. All results are reported anonymously,” added TRAI.
But in particular instances, there is no explanation as to why an app requires sensitive permissions. For e.g. the MyCall app which helps fetch feedback from users on call quality, requests permissions to read my contacts. TRAI says that all data submitted to it will be anonymous, but silently accessing contact information of its app users is not justified. While TRAI does not make any mention on why it requires contact details for measuring call quality. Secondly, all the apps released by TRAI requests access to my ‘device ID and identify’ which can be used to track phone number of the device itself. This again contradicts TRAI earlier claim that data is not linked to user profiles. Here is a lowdown of all privacy issues that theses apps could pose:
1) Read/write call log, reroute outgoing calls, directly call phone numbers
What it means: ‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of the call, and time when the call was placed. While ‘write call log’ allows the app to input call log details by itself.‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.
Apps requesting access to call logs: TRAI MyCall, Do Not Disturb (DND 2.0)
Apps requesting access to place calls: Do Not Disturb (DND 2.0)
Apps requesting access to reroute/modify calls: Do Not Disturb (DND 2.0)
What it means: The Android developer guide mentions that apps seeking this permission can gain access to information like “phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device”. ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.
What it means: Apps requesting these permissions allow it track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower. TRAI’s MySpeed app and MyCall app uses location info to map out call/download quality of a particular geographical area. However, we would like to point out that TRAI could have gone with network mapping via nearby towers instead of GPS location since accuracy isn’t important in this scenario.
What it means: This permission allows any requesting app to create, modify, or delete any files that reside on the SD card. TRAI’s MyCall and DND apps request permission to not only read your media files, but modify and delete existing files on the SD card. Although, reading files can be acceptable for uploading screenshots, and other images, its not clear why TRAI’s apps want ‘modifiable access’ to media files on a device.