What exactly does Truecaller do with your data? A hacker’s deep dive

As online privacy concerns increase, when signing up for Internet services or installing mobile apps, assurances of the protection of a prospective user’s data are given. But what really happens when you click that “sign up” button is anyone’s guess.

A year ago, the National Information Technology Development Agency (NITDA) opened an investigation into caller ID app, Truecaller, over possible privacy issues. It was observed that the app’s privacy policies for the European Union (EU) countries were relatively secure and distinctively different from what obtained for non-EU countries.

Apparently, some of the permissions and variety of data demanded of non-EU users by the call app are absent for Truecaller users in the EU; this is attributed to the enactment of the General Data Protection Regulation (GDPR).

A month later, while coming to terms with the details of NITDA’s investigation, a Truecaller user lodged a complaint stating that promotional messages had been sent to his contacts without his consent, losing him potentially huge business opportunities.

In both instances, Truecaller firmly asserted that it takes privacy issues seriously and that the app would never send promotional messages on its own.

What happens when you sign up for Truecaller?

Through the lens of a developer who goes by the name Angry Wizard, he decided to find out what happens to your data when you sign up for Truecaller.

According to Angry Wizard, when you register/create an account in Truecaller, all your device info is uploaded to their server as hinted in the app’s privacy policy and its permissions list. They include:

• International mobile subscriber identity (IMSI) — normally sent from your mobile device to your service provider any time you put your SIM card in a phone
• Operating System (OS)
• Device ID
• Network type, carrier, etc.

Angry Wizard also hints that a user’s full info is then uploaded to a third-party domain belonging to a company called CleverTap — a mobile marketing company located in Mountain View, California — that enables marketers to identify, engage, and retain user info in an automated process.

He further insists that the server engages in a lot of unusual activity and comes in contact with lots of other third-party domains in the process.

But it gets more interesting

Not unlike the transportation of eggs, any information given when registering on a website should be transported safely and securely.

While uploading data to an external server without the user’s consent apparently violates Truecaller’s privacy policy, Angry wizard alleges that Truecaller uses a very unsafe method to upload this data.

“Your entire phone book, contacts, and information get uploaded to their servers. Oh! And it’s over GET,” he explains.

The two most popular methods of uploading data from a user’s computer to a website’s server are the GET and POST method.

The GET method is unsafe for transferring sensitive and confidential information like a user’s data, as anyone who knows what to look for can easily gain access. Hence, the POST method is always preferred.

Consequently, the developer points out, all your info can be accessed publicly by anyone with the technical know-how.

According to Angry Wizard, the information of over 30,000 contacts and names of spammers reported by Truecaller users are made public, requiring no authentication for anyone to access.

So we went searching

Seeking clarification, on December 3, 2019, we reached out to Truecaller’s Director of Communications, Kim Fai Kok, who insisted once more that no user content is sent to a third-party domain without the user’s consent.

He also refuted claims that Truecaller uploads details using GET and that the information could be accessed publicly.

“No user or spam data can be accessed by the public. Any verified Truecaller user can access other users’ public data, provided they know the phone number of the person, in accordance with our Terms of Use and Privacy Policy,” says Kok.

“The spam data is a community spam list, which is accessible to all our users and does not require the owner of the phone number to accept any terms,” he adds.

To double-check these claims, on December 5, we sent two mobile numbers to the Wizard: one of a Truecaller user, and the other belonging to a non-Truecaller user and surprisingly, he sent back URLs containing information of both numbers.

A day or two after, the links stopped working, so we briefly thought Truecaller had fixed the issue. But last week Friday, we received another link containing the same information from both numbers.

While Truecaller refuted all of Angry Wizard’s claims, our latter discovery has given us pause as we await the outcome of NITDA’s investigation.

For the geeks, a detailed explanation of Angry Wizard’s deep dive can be found here.

Source: Techpoint.africa