Recently Prime Minister Narendra Modi on Tuesday urged citizens to vote on the demonetization policy through the Narendra Modi app on their mobile phones. He asked the public to participate in a survey where a number of questions have been posed with regard to scrapping of old Rs 500 and Rs 1000 currency notes and In the busy hours of December 1, 2016, Yourstory -A Website who Covers Startup related stories got an email from Javed Khatri, who claims to have hacked the Narendra Modi app. The email read:
“I am able to access private data of any user on the app. The data includes phone number, email, name, location, interests, last seen etc. I successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani (screenshot at the end of the article). Please find attached the screenshot.
“Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.”
The main intention behind the expose is to focus on the security of the app, not to cause any damage.
Here’s is that conversations with Javed.
YourStory: Would you want to come on record were we to report this?
JK: Yes, I would like to come on record as my intentions are clear. As I said, I don’t want to cause any damage. I just want them to pay attention to the security of the app and the privacy of the users.
YS: What work have you been doing?
JK: I run a mobile app development company called Applab here in Mumbai. I am a mobile app developer and a designer who loves building innovative products. In my free time, I like to research on security loopholes in various apps and websites. I have cracked a lot of apps and websites but I can’t disclose all of them.
YS: Was it very easy to hack the app? What are your thoughts on the security standards?
JK: It was not that difficult to hack the app. It took me around 15-20 minutes to get the entire access. Although the developers have focused a lot on security, they have left certain loopholes.
YS: Can you show us more proof that the extracted data is from the app we’re speaking of?
JK: Yes, I can show. For this, I would require you to sign up on the app with your name and once you sign up I can extract your personal details without your permission. Also, I have attached another screenshot with the URL which belongs to the app.
In this screenshot, you can see the personal data of Dr. Jitendra Singh, Minister of State for the Ministry of Development of North Eastern Region, Prime Minister Office, which you can’t access via the app.
YS: What is your suggestions/advice to the developer of the app?
JK: Most of the developers don’t do a thorough security testing (penetration testing) before releasing their apps. From my experience, I can say more than 90 percent of the apps are hackable. The code inside the app is not properly obfuscated. Secret keys and API access keys can be easily extracted by reverse engineering. I would only advise them to come up with more secure user authentication mechanism.
To test Javed’s claims, yourstory signed up on the app to verify his claims. And as it turns out, Javed could fish out the details!
Yourstory also told in their statement that “this is a serious privacy issue and should be sorted out as soon as possible. The reason we are carrying the article is because we take security and privacy issues seriously! We hope that the government takes notice and plugs the security loopholes immediately.”
Boopow is waiting for Central Government’s Cyber Cell so that this loophole in Narendra Modi app could be fixed soon