Narendra Modi app, the personal mobile application of Prime Minister of India Narendra Modi, is allegedly sharing private information of users to a third-party US company Clever Tap without their consent, French security researcher Elliot Alderson has claimed. Alderson shared a series of tweets claiming that when users create profile on Narendra Modi Android app, their device information, as well as personal data, is sent to a third-party domain called in.wzrkt.com., which apparently belongs to the US company.
According to the researcher, device information that is being shared includes operating software, network type, Carrier, etc. Meanwhile, personal information of users such as email, photo, gender and name are also being shared with Clever Tap without consent. “When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called http://in.wzrkt.com,” reads Alderson’s tweet.
Explaining his findings, the researcher said that Narendra Modi app allegedly collects personal and device information of users to send them to in.wzrkt.com without consent. This domain, he adds, has been classified as a phishing link by the company G-Data. Meanwhile, the website is apparently hosted by GoDaddy with whois information hidden.
The researcher then traced the domain back to Clever Tap. “After a quick search, this domain belongs to an American company called @CleverTap. According to their description,” #CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers,” tweeted Alderson. The researcher also raised concerns on why whois information of wzrkt.com has been masked by Clever Tap.
Notably, this is not the first time that Elliot Alderson has flagged security issues related to sharing of personal information. Earlier this year, he claimed that OnePlus is allegedly sending clipboard data back to a Chinese server. Alderson alleged that the file in the OxygenOS beta called badwords.txt may have helped the company to identify some data and send it back to a Chinese server without a user’s consent.