French hacker claims PM Modi’s app taking info without consent, explains modus operandi

A day after pointing to a massive security breach on the official mobile app of the Congress party, French hacker Elliot Alderson has now targeted the app of Prime Minister Narendra Modi.

In a series of tweets, he has alleged that the app sends the IP address of users to US-based website api.narendramodi.in without their consent.

Explaining the modus operandi, the hacker has also alleged that PM Modi’s Android app violates norms of European regulation as well as Google Play.

According to the hacker, “if you install the @narendramodi’s #Android #application on your phone, you are giving a lot of device information to @narendramodi without your consent”.

Here’s series of his tweets:

“1/ In this request, the @narendramodi’s #Android #application sends silently and without the user’s consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website http://api.narendramodi.in  which is located in the US.”

“2/ As the application is available in Europe, it must comply with the European regulation called #GDPR. Since an IP address is considered as a personal data, the user must give his consent and must be able to opt out from this data collection.”

“3/ The @narendramodi’s #Android #application does not meet these requirements and so is breaking this European regulation.”

“4/ Moreover, not asking the user consent is a clear violation of the Google Play developer distribution agreement”

“5/ The unique phone identifier send by the @narendramodi’s #Android #application is composed of multiple device specific information: board, brand, name of the instruction set, name of the industrial design, manufacturer, model, name of the product”

“6/ So if you install the @narendramodi’s #Android #application on your phone, you are giving a lot of device information to @narendramodi without your consent”.

Elliot Alderson@fs0c131y

1/ In this request, the @narendramodi‘s #Android #application sends silently and without the user’s consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website http://api.narendramodi.in  which is located in the US.

Elliot Alderson@fs0c131y

Replying to @fs0c131y

4/ Moreover, not asking the user consent is a clear violation of the Google Play developer distribution agreement https://play.google.com/about/developer-distribution-agreement.html …

Tweeting about the INC app on Monday, the French hacker had alleged that when one applies for membership of the party through the official Congress app on Google PlayStore, personal data are send encoded through a HTTP request to the party’s membership page online. The anonymous hacker then claims that the personal data has no encryption which makes decoding it relatively simple.

The most damning of his allegations was that the IP address of the Congress’ membership page points to a server located in Singapore.

Alderson had clarified he had no political agenda in putting his investigations in public domain.

Meanwhile, the Congress party removed its app from Google Play Store.

This even led to a political war of words between the BJP and the Congress as the former’s IT cell chief Amit Malviya tweeted, “Rahul Gandhi gave a call to #DeleteNaMoApp, but Congress deleted its own App from the App store after they were called out. What is the Congress party hiding?”

Entering damage control mode, Divya Spandana, Congress’ Social Media and Digital Communications head, said, “Clarification: We don’t drive membership through the app, it’s done through our website http:// www.inc.in Servers for these are based in Mumbai. As you may have noticed, the link on the app is broken.”

Your Opinion Counts !