Centre for Internet & Society

If you have installed a wallet app on your smartphone, be careful. Many such apps can access data, even sensitive personal information, and have features that do more than just make payments. All that, with your due “permission”.

The article by Samarth Bansal was published in the Hindu on December 5, 2016. Pranesh Prakash was quoted.

When installing them, the apps display a list of permissions. The user is prompted to either grant permission to access to SMSs, call records and so on or decline, but the latter means rejecting the download. Barring a small fraction of tech-savvy users, most go with the flow, ignoring the permissions section.

The Hindu reviewed permissions sought by five wallet applications: MobiKwik, Freecharge, PayTM, Jio Money and Airtel Money.

Freecharge and Jio Money seek permission to “directly call phone numbers”. The app can call up numbers without notifying you. In fact, Freecharge asks to “read call log”. All five require permission to “read contacts”, which, as PayTM mentions, “gives you the ability to pick a number from contacts for a quick recharge or bill payment” or “helps you send and request money from friends”. FreeCharge and PayTM ask permission to “modify contacts” and “record audio”.

PayTM is the only one that requests to “read your web bookmarks and history”. According to AndroidPit, an Android-centred news portal, this permission is needed for alternative browsers, back-up tools and possibly some social networking apps. For the rest, it is possibly a way to “spy on user’s browsing behaviour”, the portal says.
Wealth of data

Pranesh Prakash, policy director at the Centre for Internet and Society, told The Hindu that access to a wealth of data about the user enables various other business models.

“A mobile wallet application, using location tracking data, can tell a user about the discounts available on a nearby store if the payment is conducted using that platform. If the user is not explicitly made aware of such usage of data, I would call it a misuse of information,” he said. Note that “precise” location tracking feature, via GPS or mobile network, is a feature requested by all.

For PayTM, there is a mismatch between the complete set of permissions it asks for — as stated in the app store — and the ones it mentions on a dedicated page on its website explaining “PayTM app permissions”. Apart from the six basic features, there is no mention about functions like location tracking or reading web history — which it requires — on the web page.

“In this regard, PhonePe [another wallet app] is the model to follow: it clearly states the permissions it is seeking and explains why it needs each one of those at the time of set-up.