0 Shares 571 Views

PM Modi’s app is leaking out users’ personal data without their consent

A French security researcher, who has already exposed various security holes in the Aadhaar infrastructure, has in a series of tweets claimed that Narendra Modi’s application is sending personal information of its users to a third party website called in.wzrkt.com and it is doing it without the consent of its users.

Pushing personal information such as email, photo, name, gender etc to a third party website without a user’s consent is a serious privacy breach. To ascertain whether this privacy breach occurred or not, Alt decidedto take a deep dive into this issue and investigated PM Modi’s Android App.

Sniffing data transmitted by your phone
To ascertain whether your phone is transacting with a certain website or not, the data between the phone and the outside world needs to be intercepted. There are several software applications which allows one to do so. We used a popular software called Charles. As described on the Charles website, it enables one to view all the HTTP and SSL/HTTPS traffic between a machine and the Internet. The trial version of Charles works for 30 days after installation and runs only 30 minutes at a time. Details of how to configure Charles and your phone to intercept data is provided at the bottom of the article in the section “Technical Details”.

Intercepting data
To verify the claim of the researcher, we installed the Narendra Android app on our phone, tapped on the “Sign Up” button at the bottom and created a profile.

During the process of creation of the profile leading upto a successful registration, the APP was transacting data over the Internet which we captured using the Charles software mentioned above. What we saw was that personal information such as name, email id, gender, telecom operator type and more was indeed being shared with the website in.wzrkt.com. In the screenshot below, it can be seen that the email-id [email protected] that we entered during registration has been sent to in.wzrkt.com.

Technical details
Once Charles is installed on your PC/laptop, your phone’s proxy server needs to be configured to point to the machine which has Charles running so that it can intercept all the traffic emanating from your phone. This is done by inputting the IP Address of your PC/laptop and the proxy server port (Default: 8888) that Charles is listening on in the proxy server section of the Wi-Fi Settings on your phone.

Additionally, since the data that is being transacted between the Narendra app and outside world is over HTTPS and is encrypted, one needs to install the Charles Root Certificate on your phone by pointing your Mobile browser to chls.pro/ssl and following the prompts.

Lastly, add in.wzrkt.com in the list at “SSL Proxy Settings” which in turn can be found in the “Proxy” main menu.

Once the above settings are configured, Charles running on your machine is ready to intercept the data from the Narendra app on your phone.

You may be interested

Paigham-e-Pakistan – This is the counter narrative world needs most
0 shares91 views

Paigham-e-Pakistan – This is the counter narrative world needs most

Web Desk - Jun 29, 2018

[pdf-embedder url="http://www.thecjpost.com/wp-content/uploads/2018/06/Paigham-e-Pakistan.pdf"]

Auto-phagy (Fasting) and Diabetes

Janet Mayson - Jun 10, 2018

Fasting the second pillar of Islam has undeniable physical and spiritual impact on human being. Scientifically fasting is described as Auto-phagy meaning a…

Hizbul Ahrar claims responsibility for the SVBIED attack in Attock
0 shares358 views

Hizbul Ahrar claims responsibility for the SVBIED attack in Attock

Janet Mayson - May 04, 2018

Hizbul Ahrar, a splinter militant group of the Tehreek e Taliban Pakistan has on late Thursday claimed responsibility of the attack that took…

Leave a Comment

Your email address will not be published.

Most from this category