A French security researcher, who has kept UIDAI on their toes by exposing various security holes in the Aadhaar infrastructure, has claimed in a series of tweets that Prime Minister Narendra Modi’s application is sending personal information of its users to a third party website called in.wzrkt.com and it is doing so without the user’s consent.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers" pic.twitter.com/Ikqp9GbCDm
— Elliot Alderson (@fs0c131y) March 23, 2018
Pushing personal information such as email, photo, name, gender etc to a third party website without a user’s consent is a serious privacy breach. To ascertain whether this privacy breach occurred or not, Alt News decided to take a deep dive into this issue and investigated PM Modi’s Android App.
Sniffing data transmitted by your phone
To ascertain whether your phone is transacting with a certain website or not, the data between the phone and the outside world needs to be intercepted. There are several software applications which allows one to do so. We used a popular software called Charles. As described on the Charles website, it enables one to view all the HTTP and SSL/HTTPS traffic between a machine and the Internet. The trial version of Charles works for 30 days after installation and runs only 30 minutes at a time. Details of how to configure Charles and your phone to intercept data is provided at the bottom of the article in the section “Technical Details”.
Intercepting data
To verify the claim of the researcher, we installed the Narendra Modi Android app on our phone, tapped on the “Sign Up” button at the bottom and created a profile.
During the process of creation of the profile leading upto a successful registration, the APP was transacting data over the Internet which we captured using the Charles software mentioned above. What we saw was that personal information such as name, email id, gender, telecom operator type and more was indeed being shared with the website in.wzrkt.com. In the screenshot below, it can be seen that the email-id pratik@xyzabc.com that we entered during registration has been sent to in.wzrkt.com.
The video below will show a live demonstration of this fact-check and will show how personal information that you’re sharing with the Prime Minister’s app is indeed being sent to a third party website without your consent.
NOTE: Kindly watch the video in Full HD/1080p for better viewing.
NOTE: Those not interested in the technical details of how to setup your phone and computer for intercepting data can skip the next section.
Technical details
Once Charles is installed on your PC/laptop, your phone’s proxy server needs to be configured to point to the machine which has Charles running so that it can intercept all the traffic emanating from your phone. This is done by inputting the IP Address of your PC/laptop and the proxy server port (Default: 8888) that Charles is listening on in the proxy server section of the Wi-Fi Settings on your phone.
Additionally, since the data that is being transacted between the Narendra Modi app and outside world is over HTTPS and is encrypted, one needs to install the Charles Root Certificate on your phone by pointing your Mobile browser to chls.pro/ssl and following the prompts.
Lastly, add in.wzrkt.com in the list at “SSL Proxy Settings” which in turn can be found in the “Proxy” main menu.
Once the above settings are configured, Charles running on your machine is ready to intercept the data from the Narendra Modi app on your phone.