Threats of Indian Mobile payment/wallet Apps 

​India is going through a big change were Government is forcing people to go cashless and there comes the use the use of payment or wallet apps. These days the most downloaded apps in India are payment/wallet apps and Google play has a section displaying it prominently. Indians are not used to apps and especially when it comes to money apps.

  

Payment and wallet apps are primarily built to perform operations like transferring money between wallets/bank accounts, recharging phones, etc. However some of these apps get to access to your sensitive information, like your contact list, which WiFi networks you’re on, your call record data, which apps you’ve installed, the microphone of your application, among other things. When installing an application, most users accept permission requests without reading them, and realising their implications.

 Most users aren’t aware of the implications of permissions being taken by Wallet apps, and have no control over the data that is being collected. This is particularly significant, because apart from demographic and payment data, Wallet applications are in a position to collect a significant amount of behavioral information on users, which can be used to create granular profiles of users, and market services to them. There is also a greater security risk created, because of the volume of data being sought and possibly stores. Users have no control over their data, and in the absence of a privacy law in India, they have no recourse over how their data is collected, used, how long it is stored, or even if it is stored. This needs to be addressed, and quickly, as more people come online, and get connected to digital payments.

A look into different mobile wallets apps and Android permissions that these apps were seeking and privacy issues that these apps could pose to a user:
1. Read your Web bookmarks and history: Out of all the permission requests, the Paytm app on Android was the only application requesting access to “read your Web bookmarks and history”.  

2. Read sensitive log data :  Every app logs device and app specific information every time it executes a command, completes an updates, or when a user logs-in with his User ID. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the log. By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows the developer to determine that the cluster of users could be users in the same office/home/public location.

Apps requesting access to sensitive log data: PayUMoney, MyJio, JioSecurity, JioSwitch also requests sensitive log permission

3. Record audio : This permission simply allows an application record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, which means that the permission “would give a requesting application access to private user data or control over the device that can negatively impact the user.”

Apps requesting the permission:  FreeCharge, Airtel Money, JioMoney Wallet

4. Modify Contacts : Although most mobile wallet apps requests permissions to only ‘read contacts’ information for the purpose making a recharge, or sending money, some apps might seek permission to modify or edit your existing contacts. This allows an application to write new contacts as well as modify existing ones. Android developer guide again classifies protections level for this permission as ‘dangerous’.

Apps requesting the permission: Paytm, FreeCharge, Vodafone M-pesa

5. Read call log, reroute outgoing calls, directly call phone numbers : ‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of call, and time when call was places. ‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.

Apps requesting access to call logs:  FreeCharge, MobiKwik Lite

Apps requesting access to place calls:  FreeCharge, JioMoney Wallet, State Bank Buddy Wallet

Apps requesting access to reroute/modify calls:  FreeCharge

6. Read phone status and identity : The Android developer guide mentions that apps seeking this permission can gain access to information like “phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device”.  ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.

Apps requesting the permission: Almost all including Paytm, FreeCharge, MobiKwik, Oxigen Wallet, PauUMoney, JioMoney Wallet, Airtel Money, Vodafone M-pesa,  Idea Money, and Citrus Wallet.

7. Location tracking using GPS/telecom network :  Apps requesting these permissions allow it track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.

Apps requesting location tracking: most of the reviewed apps requested access to exact location.

Advertisements

Author: Apps reviewed

a big fan of apps.

11 thoughts on “Threats of Indian Mobile payment/wallet Apps ”

  1. This is a scary threat to privacy. These companies are requesting access to information that has nothing to do with making a payment. If India is doing it, I’m sure other countries will not be far behind. Good article.

    Liked by 1 person

  2. This is a little worrying as I have been a paytm user for some time now.. especially after the demonetisation it’s been my go to app for any sorts of payments..and now you make this post.. 😦 the post itself is very educational thank you!

    Liked by 2 people

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s