User Data Collected By Indian Mobile Wallet Apps

Even as you try out mobile wallets , be aware of the data they collect from you and be sure you really wish to part with it. Don’t just automatically accept permission requests while installing apps without reading them. Safety and privacy are at stake.

1. Read your Web bookmarks and history
The Paytm app on Android requests access to “read your Web bookmarks and history”.

2. Read sensitive log data

Every app logs device and app specific information every time it executes a command, completes an updates, or when a user logs-in with his/her User ID. In some cases, the app can gain access to sensitive data like MAC ID, IMEI no, saved WiFi networks info, and other apps installed on the device. Sometimes a user authenticates with an app using his/her Gmail or Facebook account, and the app can read info of these accounts from the log.

By collecting WiFi network information, including network name (SSID), an app developer can employ data analytics and identify a cluster of users connected to the same network. This allows the developer to determine that the cluster of users could be users in the same office/home/public location.

Apps requesting access to sensitive log data are PayUMoney, MyJio, JioSecurity and JioSwitch.

3. Record audio

This permission  allows an application to record audio via the phone’s microphone. Android developer guide classifies the ‘protection level’ for such a permission (for a user) as ‘dangerous’, which means that the permission would give a requesting application access to private user data or control over the device that can negatively impact the user.

Apps requesting this permission are : FreeCharge, Airtel Money, JioMoney Wallet

4. Modify Contacts

Although most mobile wallet apps requests permissions to only ‘read contacts’ information for the purpose making a recharge, or sending money, some apps seek permission to modify or edit your existing contacts. This allows an application to write new contacts as well as modify existing ones. Android developer guide again classifies protections level for this permission as ‘dangerous’.

Apps requesting this permission: Paytm, FreeCharge, Vodafone M-pesa

5. Read call log, reroute outgoing calls, directly call phone numbers

‘Read call log’ permission allows an application to read the user’s call log information such as phone number, duration of call, and time when call was places. ‘Reroute outgoing calls’ and ‘directly call phone number’ permissions are granted under telephony permission as per Android developer guide. It allows the requesting app to directly call phone numbers, modify an active call placed via the app, and even make calls without user’s knowledge.

Apps requesting access to call logs: FreeCharge, MobiKwik Lite
Apps requesting access to place calls: FreeCharge, JioMoney Wallet, State Bank Buddy Wallet
Apps requesting access to reroute/modify calls: FreeCharge

6. Read phone status and identity

The Android developer guide mentions that apps seeking this permission can gain access to information like phone state, including the phone number of the device, current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. ‘PhoneAccounts’ is an Android classification which helps identify apps and user accounts that run using a unique phone number. The developer guide classifies protection level as ‘dangerous’ for this permission.

Apps requesting this permission: Almost all including Paytm, FreeCharge, MobiKwik, Oxigen Wallet, PayUMoney, JioMoney Wallet, Airtel Money, Vodafone M-pesa, Idea Money, and Citrus Wallet.

7) Location tracking using GPS/telecom network

Apps requesting these permissions allow it to track the exact location of a user via GPS, or through the mobile network signals that the phone is picking up from a nearby tower.

Apps requesting location tracking: All  apps.

Most users aren’t aware of the implications of permissions being taken by Wallet apps, and have no control over the data that is being collected. This is particularly significant, because apart from demographic and payment data, Wallet applications are in a position to collect a significant amount of behavioral information on users, which can be used to create granular profiles of users, and market services to them.