French security researcher Elliot Alderson has accused privacy security breach by Congress’ official app.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to https://t.co/t1pidQUmtq. pic.twitter.com/6RH0ORYrQd
— Elliot Alderson (@fs0c131y) March 26, 2018
According to Alderson, the encryption for the app which collects membership data is encoded through HTTP (unsecured), and not HTTPS (secured). He further said that it is relatively easier to decode the personal data, which is encoded with base 64.
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example. pic.twitter.com/yDWawN2YiR
— Elliot Alderson (@fs0c131y) March 26, 2018
He further states that the IP (internet protocol) address of membership.inc.in is located in Singapore.
The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
Congress social media head Divya Spandana has claimed that Congress does not conduct membership drives through the app, but it only through the website inc.in. She also claimed that the servers are based in Mumbai.
However, she soon got called out by a Twitter user who claimed that the app did have membership option. However, now the app itself has now been removed from Google Play Store. Though there has been no official confirmation about the deletion of the app from the Congress party.
App has been removed. It was at https://t.co/hxTd2oV8JYpic.twitter.com/xTd1fDL2Ge
— Nikhil Narayanan (@nikhilnarayanan) March 26, 2018
Why congress removed it’s app from play store? pic.twitter.com/zguy04efvj
— Err.. (@Gujju_Er) March 26, 2018
In fact, Elliot Alderson himself noticed the app missing from playstore.
Did @INCIndia removed their #android #app from the PlayStore just before my tweet?
— Elliot Alderson (@fs0c131y) March 26, 2018
The web cache of the app, which has now been reportedly removed, also talks about membership drive being carried out through the app.
The privacy policy on their website, inc.in, is also shocking. The website states that the data collected by the website through the membership information you post could be shared with vendors, consultants and other service providers who ‘need access to such information to carry out their work’ for Congress.
Of all the privacy policies you may see on websites or apps, this one of the Congress party, no less, is the most shocking I have ever seen. It essentially says the moment you sign up with Congress, they will sell your data to anyone or everyone who suit their agenda. 1/3 pic.twitter.com/kStntXJB8P
— Akhilesh Mishra (@amishra77) March 26, 2018
Congress website further washes hands off the responsibility of privacy of your data once the third party gets involved.
This raises serious doubts regarding the collecting the data of citizens and allowing third party access to the same, especially in light of allegations against UK based data analytics company, Cambridge Analytica, which was reportedly helping Congress win elections.
