After NaMo app, French security researcher says Congress App on Android is not secure

French security researcher Elliot Alderson has claimed that the official Android app of the Congress party is sending personal data of users to the party's website.

Congress data leak, Congress INC app leak, Congress data leak app, Elliot Alderson, Narendra Modi app, NaMo app, INC app, INC Android app, Facebook

Indian National Congress’s Android app insecurely transmits data to the party’s website without the user’s consent, claims French security researcher Elliot Alderson.

French security researcher Elliot Alderson on Monday claimed the official Android app of the Congress Party is sending personal data of users to the party’s website. In a series of tweets, Alderson alleged that the Indian National Congress’s Android app insecurely transmitted data to the party’s website without the user’s consent. Last week, Alderson claimed that India Prime Minister Namo app was sending personal data of users to a third-party company Clever Tap without their permission.

On Monday morning, the Congress App was no longer available on Google Play Store. A source in the Congress Party confirmed that the app has been taken down. “The app has been lying defunct for the last six months. We took it down today. We will be relaunching a new app in a few months.” The party will hold a press conference at 4 pm explaining its stand.

According to Alderson, the encryption of the app which collects membership data is encoded through HTTP which is considered an insecure way to transfer the data.’HTTPS’ is considered more secure; it simply means all communications between your browser and the website are encrypted. Aderson claims that the INC’s Android app is not using the HTTPS protocol, which means the data could potentially leak.

When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd

— Elliot Alderson (@fs0c131y) March 26, 2018

Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR

— Elliot Alderson (@fs0c131y) March 26, 2018

The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB

— Elliot Alderson (@fs0c131y) March 26, 2018

The researcher also goes on to claim that the IP address of ‘membership.inc.in, the website to which the Congress party app is linked, has been located in Singapore. However, Diyva Spandana has claimed that the Congress Party does not collect any personal data from the INC app. Instead, the party only collects data for membership through its website inc.in. The party also claimed that it has moved its membership domain to inc.in/membership and no longer accepts memberships from its app.

We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates.
We collect data for membership and this is through our website https://t.co/Mi3BWOK9Z0, this is encrypted. https://t.co/9r0EXWwU4Z

— Divya Spandana/Ramya (@divyaspandana) March 26, 2018

Users are already not happy with the way Facebook is handling the Cambridge Analytica data leak controversy. Back in India, both BJP and Congress parties have accused each other of mishandling user data by ‘flouting security norms’ in their respective apps.

Tags:
app
Congress