India is going through a big change were Government is forcing people to go cashless and there comes the use the use of payment or wallet apps. These days the most downloaded apps in India are payment/wallet apps and Google play has a section displaying it prominently. Indians are not used to apps and especially when it comes to money apps.
Payment and wallet apps are primarily built to perform operations like transferring money between wallets/bank accounts, recharging phones, etc. However some of these apps get to access to your sensitive information, like your contact list, which WiFi networks you’re on, your call record data, which apps you’ve installed, the microphone of your application, among other things. When installing an application, most users accept permission requests without reading them, and realising their implications.
Most users aren’t aware of the implications of permissions being taken by Wallet apps, and have no control over the data that is being collected. This is particularly significant, because apart from demographic and payment data, Wallet applications are in a position to collect a significant amount of behavioral information on users, which can be used to create granular profiles of users, and market services to them. There is also a greater security risk created, because of the volume of data being sought and possibly stores. Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored. This needs to be addressed, and quickly, as more people come online, and get connected to digital payments.
A look into different mobile wallets apps and Android permissions that these apps were seeking and privacy issues that these apps could pose to a user:
1. Read your Web bookmarks and history: Out of all the permission requests, the Paytm app on Android was the only application requesting access to “read your Web bookmarks and history”.
2. Read sensitive log data : Every app logs device and app specific information every time it executes a command, completes an updates, or when a user logs-in with his User ID. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the log. By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows the developer to determine that the cluster of users could be users in the same office/home/public location.
Apps requesting access to sensitive log data: PayUMoney, MyJio, JioSecurity, JioSwitch also requests sensitive log permission
3. Record audio : This permission simply allows an application record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, which means that the permission “would give a requesting application access to private user data or control over the device that can negatively impact the user.”
Apps requesting the permission: FreeCharge, Airtel Money, JioMoney Wallet
4. Modify Contacts : Although most mobile wallet apps requests permissions to only ‘read contacts’ information for the purpose making a recharge, or sending money, some apps might seek permission to modify or edit your existing contacts. This allows an application to write new contacts as well as modify existing ones. Android developer guide again classifies protections level for this permission as ‘dangerous’.
Apps requesting the permission: Paytm, FreeCharge, Vodafone M-pesa
5. Read call log, reroute outgoing calls, directly call phone numbers : ‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of call, and time when call was places. ‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.
Apps requesting access to call logs: FreeCharge, MobiKwik Lite
Apps requesting access to place calls: FreeCharge, JioMoney Wallet, State Bank Buddy Wallet
Apps requesting access to reroute/modify calls: FreeCharge
6. Read phone status and identity : The Android developer guide mentions that apps seeking this permission can gain access to information like “phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device”. ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.
Apps requesting the permission: Almost all including Paytm, FreeCharge, MobiKwik, Oxigen Wallet, PauUMoney, JioMoney Wallet, Airtel Money, Vodafone M-pesa, Idea Money, and Citrus Wallet.
7. Location tracking using GPS/telecom network : Apps requesting these permissions allow it track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.
Apps requesting location tracking: most of the reviewed apps requested access to exact location.