The NaMo app, used by Prime Minister Narendra Modi, has been found to have significant security vulnerabilities, raising concerns about user data privacy. In 2016, a 22-year-old hacker, Javed Khatri, claimed to have successfully accessed private data of over 7 million users of the app. This data included phone numbers, email addresses, names, locations, and interests, and even the ability to make a user follow any other user on the platform. The hacker demonstrated the ease with which the app could be compromised, highlighting the poor security measures in place.
The core of the problem lay in how the app communicated with its API (Application Programming Interface) at narendramodi.in. One major issue was the lack of proper authentication for API endpoints, allowing unauthorized access to user data. For example, it was possible to extract email addresses by simply iterating through user IDs. The API was also served over HTTP instead of HTTPS, meaning data was transmitted as plain text, making it vulnerable to interception.
The security flaws in the NaMo app had several potential consequences:
The NaMo App, the official app of Prime Minister Narendra Modi, collects various types of user data. The app requests access to numerous personal features on users’ devices, including location, photographs, contacts, microphone, and camera. The app’s description states that “no permission is compulsory” and users can disable access in settings, but many permissions are granted by default upon download. The app also collects information such as user photos, gender, name, email ID, location details, profession, interests, IP address, phone number, device information, and uses unique application numbers and cookies.
Allegations
The NaMo App shares user data with third-party services for analytics and to provide a better user experience. This includes offering contextual content, showing content in the user’s language, and providing a personalized experience based on interests. The app’s privacy policy was updated to reflect this data sharing, stating that information like name, email, mobile phone number, device information, location, and network carrier may be shared.
Government and BJP Response
Controversy arose when a French security researcher alleged that the NaMo App was sharing user data with a third-party US company, CleverTap, without consent. The BJP (Bharatiya Janata Party) responded to these allegations by stating that most of the data shared on the app was already in the public domain and that user information was stored in an encrypted mode. The researcher claimed that the app was sending user data to a third-party domain. The Congress party also criticized the app, accusing Prime Minister Modi of spying on Indians and building a personal database.
Data Storage Location
CleverTap, the US-based analytics company, stated that it does not sell, share, rent, or re-market user data. The company clarified that it works with first-party data provided by the app publisher, and the data collected is governed by the publisher’s privacy policy. CleverTap also mentioned that it offers various hosting locations globally, including Indian data centers.
Privacy Policy Changes
The government has stated that the data from the NaMo App is saved in Indian servers and is safe. CleverTap also offers Indian data centers for businesses that require them.
About CleverTap
Founded in May 2013 by three Indians, Anand Jain, Sunil Thomas, and Suresh Kondamudi, CleverTap is a mobile marketing firm that provides real-time insights to marketers. Among other services, the company offers behavioral targeting. This means that it studies what users do with an app and this, in turn, helps the app creators tailor user experiences accordingly.
Before launching CleverTap, the three co-founders had worked at media conglomerate Network 18. Jain had earlier co-founded restaurant recommendation engine Burrp, while Thomas spent nine years at Seattle-based internet search firm Infospace (now called Blucora). Kondamudi is an IIT-Madras alumnus with a background in mobile marketing.
So far, CleverTap has raised $9.6 million from marquee investors like Sequoia Capital and Accel Partners, among others.
The Narendra Modi app had come under scrutiny after a Twitter trend called DeleteNamoApp alleged that it shares user data with CleverTap, a third-party data analytics company. This trend gained momentum as users disputed the app’s practices and claimed it was tied to Cambridge Analytica, although evidence to support this was weak. The BJP’s IT Cell reacted to the allegations by promoting the hashtag DeleteCongFakeNews, suggesting this was part of a political rivalry.
Security researcher Elliot Alderson pointed out concerns regarding the Narendra Modi app, particularly its collection of personal and device information sent to third-party domains. CleverTap is known as a popular SDK used by app developers for user engagement and marketing. The data collected includes sensitive information like the device model, carrier, app settings, and other personal details, all sent to a domain associated with CleverTap.
I checked the NaMo app and this is not good…My plane will take off soon, tweet with details will come in 2 hours
— Baptiste Robert (@fs0c131y) March 23, 2018
That ominous tweet was followed up by a series of tweets about the Narendra Modi App sending user’s personal and device data to third-party domains.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Baptiste Robert (@fs0c131y) March 23, 2018
This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden. pic.twitter.com/dRUx0fuZ38
— Baptiste Robert (@fs0c131y) March 23, 2018
CleverTap for those unaware is a marketing SDK incorporated by app makers to deliver retention, usage, and retargeting campaigns for their users. It provides tools and insights into users and allows developers to send tailored push notifications or email-based campaigns to promote the app’s usage.
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers" pic.twitter.com/Ikqp9GbCDm
— Baptiste Robert (@fs0c131y) March 23, 2018
Of course the question is why does the Namo App need to send data to third-party servers at all? As for what data is being sent, the tweeted pictures clearly show the extent of the collection. Besides the make and model of your phone, everything from your carrier, app settings and all the information you have submitted are being sent to wzrkt.com.
The website clearly belongs to CleverTap, which used to be called Wizrocket when it started out. CleverTap has offices in the Los Angeles, San Francisco, New York, as well as in Bangalore, Mumbai and New Delhi, but the Indian connection is hard to miss with CEO and Co-founder Sunil Thomas, Anand Jain who is Co-founder and Suresh Kondamudi, CTO and Co-founder. All three were previously with Network18, the media company owned by Mukesh Ambani’s Reliance Industries. The name was changed from Wizrocket around the middle of 2015. The company has received nearly $10 million in funding according to Crunchbase.
Beebom team has reached out to Clevertap through the email contacts on their website for an explanation on the data being collected and the extent of its use and whether it is stored outside India as well. They will update the story right after they hear back from Clevertap.
Ref: https://beebom.com/narendra-modi-app-data-clevertap/
Questions arise regarding the need for the Narendra Modi app to send this data to external servers. The presence of CleverTap, which has significant ties to the Indian tech landscape, raises further concerns about how this data may be utilized. Attempts to reach CleverTap for clarification on their data collection practices are ongoing.
The privacy policy for the Narendra Modi app has also been criticized for being poorly designed and lacking clear information on its use of the CleverTap SDK. It fails to inform users that their setup profiles are sent to third-party servers for data mining.
Moreover, there are reports of government bodies encouraging the use of the Narendra Modi app for direct communication, which includes collecting personal information from over 15 lakh students in the National Cadets Corps. The Prime Minister’s office indicates that this app is intended to facilitate interaction with cadets.
While the Congress party and Alderson claim that the BJP has been unlawfully sharing its data with CleverTap, cybersecurity experts told Quartz that the company is just one of many such service providers. It’s common for companies to use such third-party data analytics to improve user profiling, said Altaf Halde, global business head at cybersecurity services firm Network Intelligence.
Comparison with Other Apps
Following the allegations, the privacy policy of the NaMo App was updated. The updated policy acknowledges that certain information may be shared with third-party services to improve user experience.
India currently lacks a dedicated legal framework to govern mobile applications, which has been highlighted as a concern in the context of these data privacy issues.
The NaMo App collects user data and shares it with third-party services for analytics and to enhance user experience. While the government and the BJP maintain that the data is stored securely in Indian servers and is not misused, the controversy has raised concerns about data privacy and the need for a stronger legal framework in India.
Danger Ahead: ‘Photo Booth’ on the ‘NaMo App’ showcases the use of AI
During a conversation with Bill Gates, PM Modi mentioned that the ‘Photo Booth’ feature on the ‘NaMo App’ highlights how AI is being used.
PM Modi: It’s very helpful for me across the entire country. This is my photo booth—now you can take a selfie here. Just take a selfie on this. Not only that, but in the last 20 years, every photo you and I have taken will be stored here. For example, if at some public event, your part is visible, even if I’m in the photo and you’re not, the system can still match and retrieve it.
This shows how technology can be utilized, and I believe that such applications add real value. Earlier, if I wanted a photo, I had to ask someone to take it. Now, I just say, “Go to AI, go to my Namo A photo booth, take a selfie yourself.” You’ll get all the photos with me, even from the corners where you’re standing. So, we should use technology to help people in their daily lives. My effort is to first make people comfortable, so they feel, “Yes, this is useful for me.” Once it’s helpful, innovation and new features naturally follow.
Remediation and Updates
- Data Exposure: The primary concern was the exposure of personal data, including email addresses, phone numbers, and potentially other sensitive information.
- Unauthorized Access: The vulnerabilities allowed unauthorized access to user accounts, enabling actions like posting comments as other users.
- Privacy Concerns: The app’s data-sharing practices, including sending user data to third-party domains without consent, raised serious privacy concerns.
- Political Ramifications: The security breaches became a political issue, with opposition parties criticizing the BJP for its handling of user data and the app’s security.
Comparison with Congress App
The developers of the NaMo app addressed some of the vulnerabilities. They fixed the unauthorized access to personal information, implemented authentication checks for API endpoints, and blocked HTTP, ensuring all responses were served over HTTPS. However, the initial fixes were criticized as being insufficient, with the underlying design flaws of the API remaining unaddressed.
The Congress party’s official Android app also faced scrutiny regarding its security practices. It was alleged that the app used HTTP instead of HTTPS for data transmission, potentially exposing user data to interception. The Congress party later removed its app from app stores after these allegations.
CleverTap’s Response
The government and the BJP responded to the allegations by stating that the data is used for analytics, similar to Google Analytics, and is not stored or used by the third-party services. They emphasized that the data exposed by the French Twitter user was data entered by the user on their own device and that there was no security breach. The BJP also stated that the permissions required are contextual and cause-specific. The PMO issued a statement defending the app, highlighting its features and engagement with users.
Ref:
- Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people. [ https://www.indiatoday.in/fyi/story/security-22-year-old-hacks-modi-app-private-data-7-million-355398-2016-12-02 ]
- Major Security Flaw in NaMo App. [ https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app]
- India privacy scandal brews over claim PM Narendra Modi’s app ships personal data abroad. [ https://www.scmp.com/news/asia/south-asia/article/2139063/india-privacy-scandal-brews-over-claim-pm-narendra-modis-app]
- Data of NaMo app users safe, saved in Indian servers: Govt sources. [https://m.economictimes.com/news/politics-and-nation/data-of-namo-app-users-safe-saved-in-indian-servers-govt-sources/articleshow/63456217.cms]
- NaMo App asks for sweeping access: Camera, audio among 22 inputs; Facebook data leak. [ https://indianexpress.com/article/india/namo-app-asks-for-sweeping-access-camera-audio-among-22-inputs-facebook-data-leak-5111353/]
- ‘NaMo app doesn’t store data to be used by 3rd parties’. [ https://timesofindia.indiatimes.com/india/namo-app-doesnt-store-data-to-be-used-by-3rd-parties/articleshow/63457913.cms]
- Rahul Gandhi attacks PM Modi again for sharing NaMo app data. [ https://www.hindustantimes.com/india-news/rahul-gandhi-attacks-pm-modi-again-for-sharing-namo-app-data/story-LcbcniFSn5Bvoep7GMHDHJ.html]
- NaMo app data is shared with third party companies to improve user experience, says BJP. [ https://scroll.in/latest/873309/namo-app-data-is-shared-with-third-party-companies-to-improve-user-experience-says-bjp]
- Full text: PMO’s response to charges around NaMo app forwarding people’s data to a third party app. [ https://www.indiatoday.in/india/story/full-text-pmo-response-to-charges-around-namo-app-forwarding-people-s-data-to-a-third-party-app-1197478-2018-03-25]
- NaMo App Data Breach: US-based analytics firm says it doesn’t sell, rent data. [ https://www.outlookindia.com/national/namo-app-data-breach-us-based-analytics-firm-says-it-doesnt-sell-rent-data-news-310067]
- Privacy Policy. [ https://www.narendramodi.in/en/mobile/privacy-policy]
- BJP changes privacy setting on NAMO App. [ https://www.nationalheraldindia.com/news/bjp-changes-privacy-setting-on-namo-app]
- Data leak war: Day after BJP tweaks policy, Congress junks app. [ https://timesofindia.indiatimes.com/india/data-leak-war-day-after-bjp-tweaks-policy-congress-junks-app/articleshow/63472986.cms]
- Youtube-Image
Also Read: