As online privacy concerns increase, when signing up for Internet services or installing mobile apps, assurances of the protection of a prospective user’s data are given. But what really happens when you click that “sign up” button is anyone’s guess.
Two months ago, the National Information Technology Development Agency (NITDA) opened an investigation into caller ID app, Truecaller, over possible privacy issues. It was observed that the app’s privacy policies for the European Union (EU) countries were relatively secure and distinctively different from what obtained for non-EU countries.
Apparently, some of the permissions and variety of data demanded of non-EU users by the call app are absent for Truecaller users in the EU; this is attributed to the enactment of the General Data Protection Regulation (GDPR).
A month later, while coming to terms with the details of NITDA’s investigation, a Truecaller user lodged a complaint stating that promotional messages had been sent to his contacts without his consent, losing him potentially huge business opportunities. In both instances, Truecaller firmly asserted that it takes privacy issues seriously and that the app would never send promotional messages on its own.
What happens when you sign up for Truecaller?
Through the lens of a developer who goes by the name Angry Wizard, we decided to find out what happens to your data when you sign up for Truecaller. According to Angry Wizard, when you register/create an account in Truecaller, all your device info is uploaded to their server as hinted in the app’s privacy policy and its permissions list. They include:
International mobile subscriber identity (IMSI) — normally sent from your mobile device to your service provider any time you put your SIM card in a phone. Angry Wizard also hints that a user’s full info is then uploaded to a third-party domain belonging to a company called CleverTap — a mobile marketing company located in Mountain View, California — that enables marketers to identify, engage, and retain user info in an automated process.
He further insists that the server engages in a lot of unusual activity and comes in contact with lots of other third-party domains in the process. Not unlike the transportation of eggs, any information given when registering on a website should be transported safely and securely. While uploading data to an external server without the user’s consent apparently violates Truecaller’s privacy policy, Angry wizard alleges that Truecaller uses a very unsafe method to upload this data. “Your entire phone book, contacts, and information get uploaded to their servers. Oh! And it’s over GET,” he explains.
The two most popular methods of uploading data from a user’s computer to a website’s server are the GET and POST method. The GET method is unsafe for transferring sensitive and confidential information like a user’s data, as anyone who knows what to look for can easily gain access. Hence, the POST method is always preferred. Consequently, the developer points out, all your info can be accessed publicly by anyone with the technical know-how.
https://techpoint.africa/2019/12/18/truecaller-data-developer-dive/
