A day after accusing the ruling BJP of illegally collecting data from its NaMo app users and using it for political gains, the Congress was on Monday left red-faced with the same data security researcher alleging that the Congress’s official Android app lacked the latest security safety certificate and its data could potentially end up being illegally accessed.
The allegations come two days after Elliot Alderson pointed out that the NaMo App, used by Prime Minister Narendra Modi’s office to interact with citizens, was sharing users’ profile data with third-party domains without the users’ consent. Moreover, the Prime Minister’s Office was issuing government orders asking a section of students to mandatorily sign up on the app despite it being owned not by the government but by Narendra Modi, with the registered address of the BJP office in New Delhi. The government app for the Prime Minister is the PMO app, available on both the Android Play Store and the iOS App Store.
While the Congress was quick to take on the BJP over the supposed flaw, on Sunday night, Alderson tweeted that he found ‘something interesting’ on the Congress’s Android app and that he would publish details on Monday. This morning, he tweeted:
“When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to http://membership.inc.in.” In subsequent tweets, he added: “the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. The IP address of http://membership.inc.in is 184.108.40.206. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea.”
What Alderson is referring to is a (Secure Sockets Layer) SSL certificate – a key of sorts that ensures the interaction between a user and the website is secure and cannot be accessed by any third party. The Congress party’s App, he alleges, uses the outdated HTTP and not the most recent secure one – HTTP Secure (HTTPS).
Come on! HTTP?! I’m sure you are able to rectify this and use HTTPS instead. pic.twitter.com/elRQVlU5bT
— Elliot Alderson (@fs0c131y) March 26, 2018
In its defence, the Congress claimed it no longer uses its App to collect data from users but only to share social media updates with those who had downloaded the app. Membership, its digital communications in-charge Divya Spandana said, was only through its website inc.in, which has an HTTPS certificate. “With INC App was used for membership. In November, the party launched a new website and transitioned membership from the App to its website. Since then it (the app) has nothing to do with membership but only social media. The inc.in website is hosted on Amazon servers in Mumbai,” Spandana told IndianExpress.com. Following the allegations, however, the party took down both its apps from the Android and iOS app store.
WithINC app was being used for Social Media updates alone since transitioning the membership to the website. This morning we were forced to remove the app from the Playstore as the wrong URL was being circulated & people were being misled.
— Congress (@INCIndia) March 26, 2018
Alderson had on Saturday tweeted that the NaMo App was sharing users’ data without their consent.
“When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called http://in.wzrkt.com .,” he tweeted, adding “@narendramodi, I know privacy is not your thing but any thoughts about sharing the personal data of your users without their consent to a third-party company?”
The BJP, responding to Alderson’s allegations, said all permissions sought by the app were cause-specific and the data obtained was used only for analytical purposes.
It tweeted from its official Twitter handle: “Narendra Modi App is a unique App, which unlike most Apps, gives access to users in ‘guest mode’ without even any permission or data. The permissions required are all contextual and cause-specific. Contrary to Rahul’s lies, fact is that data is being used for only analytics using third party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content. This ensures that a user gets the best experience by showing content in his language & interests. A person who looks up agri-related info will get agri related content easily. A person from TN will get updates in Tamil and get an update about an important initiative about TN.”
Congress President Rahul Gandhi, however, was quick to attack the Prime Minister. He tweeted: “Hi! My name is Narendra Modi. I am India’s Prime Minister. When you sign up for my official App, I give all your data to my friends in American companies. Ps. Thanks mainstream media, you’re doing a great job of burying this critical story, as always.”
Modi’s NaMo App secretly records audio, video, contacts of your friends & family and even tracks your location via GPS.
He’s the Big Boss who likes to spy on Indians.
Now he wants data on our children. 13 lakh NCC cadets are being forced to download the APP.#DeleteNaMoApp
— Rahul Gandhi (@RahulGandhi) March 26, 2018
Following Alderson’s latest tweet, BJP’s IT department head Amit Malvya chose to give it back in similar fashion: “Hi! My name is Rahul Gandhi. I am the President of India’s oldest political party. When you sign up for our official App, I give all your data to my friends in Singapore.” The battle on social media continues.
— Amit Malviya (@malviyamit) March 26, 2018