Soon after Narendra Modi app controversy over data sharing without the consent of users, the Indian National Congress’ official mobile app With INC has found itself embroiled in a similar situation.
An anonymous Twitter handle, which goes by name Elliot Alderson and calls itself a French security researcher, highlighted various lapses in the With INC app.
He pointed out when users apply for membership in the official Android app of the party, their personal data are sent encoded through an ‘HTTP’ request to membership.inc.in. It means the data sent from the app to the websites is not secure.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd
— Elliot Alderson (@fs0c131y) March 26, 2018
“Moreover, the personal data are encoding with base64. This is not encryption! Decode this data is very easy as shown in the example,” he tweeted.
In a series of tweets, it was also revealed the server of the website (membership.inc.in) is located in Singapore.
However, Divya Spandana/Ramya, the social media and digital communications manager of the Congress party denied the allegation.
She tweeted the URL for membership on the INC app has been defunct for a while now. Our membership is through the INC website.
The URL for membership on the INC app has been defunct for a while now. Our membership is through the INC website. How difficult is that to understand- https://t.co/UbS5vrTcNL
— Divya Spandana/Ramya (@divyaspandana) March 26, 2018
Interestingly, as against her claim, the INC app still takes request for membership. Entrackr has tried the process and fond that the app was responsive and functional.
The war of words between the two parties over compromising data started on Saturday when the anonymous Twitter account made some revelations about Narendra Modi app.
In a series of tweets, he pointed out the app is sharing the device as well as personal information of its users to a third party domain called in.wzrkt.com, which belongs to the US company CleverTap, without their consents.
The device information which is being shared includes the operating software, network type, and carrier, among others. Besides, the app is also passing personal information such as email, photo, gender and name to the third-party domain without users’ consent.