Serious security flaws in NaMo app should leave us all worried

Even as hackers in India continue to target the Twitter Rahul Gandhi, the Indian National Congress, as well as the INC media communication liaison person Rachit Seth for a few homophobic laughs and some particularly acerbic trolling, there also exists a different breed of hackers, of a far more ethical nature, who are, in fact, trying to figure out urgent and pressing issues pertaining to online security our newfound digital utopia.

This is the story of Javed Khatri, a Mumbai-based app developer and entrepreneur. Javed, on December 1, 2016, sent a mail to YourStory.com, a media technology platform for entrepreneurs, about the Narendra Modi app, that was used by the prime minister to gauge the country’s opinion on his demonetisation drive.

While the app-based survey itself was full of questions that were either plain biased, or did not provide options for people to actually express their thoughts on the discontinuation of the Rs 500 and Rs 1,000 notes and the chaos it caused, it also contains (thanks to the survey) a goldmine of voter data.

The contents of the mail were as follows:

 “I am able to access private data of any user on the app. The data includes phone number, email, name, location, interests, last seen etc. I successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani. Please find attached the screenshot.

“Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.”

In a chat with YourStory.com, Javed made his intentions clear. He does not want to abuse the information he gained access to, at all. “I don’t want to cause any damage. I just want them to pay attention to the security of the app and the privacy of the users” he said.

Javed, who likes to research on security loopholes in apps and websites in his free time, claims to have gone past the security of several apps and websites. According to him, it wasn’t very difficult for him to hack the NaMo app. According to him, “It took me around 15-20 minutes to get the entire access. Although the developers have focused a lot on security, they have left certain loopholes”

In addition to Smriti Irani’s information, Javed also sent a screenshot of the personal data of Dr Jitendra Singh, minister of development of North Eastern region, to further substantiate his claim.

Curiously enough, the story was pulled down from YourStory.com a few hours after it was published. 

Hey @YourStoryCo why did you pull down this story?Seems Modi machinery got busy trying to hide the embarrassment! ???????? pic.twitter.com/LSRsRWfCLP

— FQueued Ińdíán (@i_theindian) December 2, 2016

What is even more intriguing is that Javed Kahtri’s website too is no longer active. As if his intentions couldn’t be made any clearer, the man even tweeted to Prime Minister Narendra Modi's official Twitter handle about this security concern on December 1. Which begs the question: Is the Modi government going after the "ethical hacker"?

@narendramodi_in I have found a security issue in Narendra Modi's app. Would like to report the issue.

— Javed Khatri (@IamJavedKhatri) December 1, 2016

What are the implications of this?

According to GooglePlay, the Narendra Modi app has been installed by 5,000,000 - 10,000,000 people. The app in question requires one to register (through a tedious form) before the survey could be taken. According to a report by The Wire.in, the NaMo app is owned and operated by Narendra Modi, not by the government. Contrary to impression given by myriad reports by the media, the app is not a government initiative. Hence, the data collected in the app cannot be safeguarded by the government, and belongs to Narendra Modi, and by association, perhaps the BJP.

Another issue with the app is the kind of information it requires for one to register. In the compulsory sections, one has to provide their name, phone number, email address, state, district, city, profession and interest. The non-mandatory fields include your date of birth, and your voter ID number.

The question one has to ask is why anyone would have to provide their voter ID details, even voluntarily so, especially when the details are asked for by a political party, and not the government of India. Additionally, the placement of the voter ID field between other mandatory fields, gives off the impression that this too, is information one needs to provide, to register.

The implications of the BJP having access to this kind of voter data are disturbing to say the least. Additionally, with the app being this easily hackable, imagine what one could do with that staggering amount of confidential and certainly sensitive data. Even as a private citizen, it is imperative that Narendra Modi handle this amount of data with great care and does everything in his power to safeguard it.

The important question

Narendra Modi’s demonetisation drive has hurled the nation into a sudden and insufficiant digital environment that it is not fully equipped to adapt to, as of yet. While the average age of Indians using the internet to handle their finances is 30, those actually who own a smartphone are make up roughly 41 per cent of the population. Add to that, the acute lack of infrastructure, and the dream of Digital India seems more pipe than real in the present.

Additionally, the majority of India’s digital population is woefully ignorant about online safety. And if the Twitter handles of Congress bigwigs and the app of the prime minister himself are this vulnerable, what is to stop anyone from taking advantage of India’s ill-equipped digital renaissance?

In October, a massive debit card hack reportedly hit major Indian banks such as HDFC Bank, ICICI Bank, Yes Bank, Axis Bank and SBI, compromising as many as 3.2 million debit cards. In its present cashlessness, as our economy tries to limp with its digital crutch, another breach like that could pull the whole country down under.

What will, our e-saviour, Narendra Modi do then?

BJP's statement

Several hours after the YourStory.com report, BJP's national convener for information & technology issued his statement to the website:

“We would like to state that most of the data that is shared on the App is, anyway, in the public domain, for instance, comments posted by individual users, various posts, the groups and following list of every user, can be seen by anyone who is using the App. The App doesn’t capture any private or sensitive data. App user’s information is stored in an encrypted mode."

“We take data security very seriously, and adequate measures are in place to avoid any possible security breach or threat."

“We would like to thank Mr. Javed Khatri for acknowledging that the developers have focussed a lot on security. We have since had a constructive engagement and discussed various security measures to further enhance the security features of the App."

“Our digital assets are put through routine security audits and are in compliance with extant standards. In fact, we encourage anyone who has any suggestions or inputs on how we can improve the overall experience on the App is welcome to write to us through the feedback section in the App.”

(Editor's note: Headline was modified after being published.)

Also read - Modi's demonetisation survey asks no question it doesn't want answered