A controversy erupted last week over the Centre directing smartphone-makers to pre-install the Sanchar Saathi app, with the Opposition alleging that it could be used to spy on citizens. The order has been withdrawn, but the question remains - does this app really snoop on users?
For answers, NDTV's Open-Source Intelligence (OSINT) team, in collaboration with cybersecurity engineer Aseem Shrey, conducted a forensic analysis on the app's Android 10 version using decompilation, a method widely used by developers and researchers.
We examined 250 directories of code and over 200 files. The findings were also validated by a cybersecurity professional and a Gurugram-based cybersecurity firm-both requesting anonymity.
The verdict: In its present avatar, the app doesn't appear to engage in broad snooping.
Concerns about potential snooping by the app stem from the permissions it seeks. While the iOS version requires access to photos, files, and camera, the Android version requests more-but not unusually so. Popular apps like Google, Instagram, and X seek similar or greater access.
"Continuous background syncing and the possibility of future over-the-air (OTA) updates (in simple language: app updates) mean transparency and safeguards are essential for continued user trust," says Shrey, founder of ShipSec AI.
Fears vs Forensic Findings
Let's understand what this app does in the context of concerns.
Concern 1: Government can access call and SMS logs
Finding: After registration, the app captures details of incoming, missed, and rejected calls for the last 29 days, but not outgoing ones. This aligns with one of the app's purpose - reporting fraudulent calls.
Sanchar Saathi uses an Application Programming Interface (API) to transfer data from the user's phone to government servers. While call logs are stored in the phone's RAM, the API transfers information from the database that stores only those numbers which are reported as fraud or scam calls by the user. Data syncs every 15 minutes, which means the app checks in with government servers 96 times a day.
Concern 2: App collects IMEI number, which can be used to track users
Finding: On devices running Android 10 and above, IMEI identifiers are not accessible to ordinary apps. Apps need "READ_PRIVILEGED_PHONE_STATE" permission from Google, which Sanchar Saathi doesn't have. Instead, it uses Android's in-built MediaDrm API, recommended by Google to avoid IMEI logging.
The app also runs on Android 9, wherein it is technically possible to read IMEI numbers. "However, I didn't find any API that accessed that, not in the current app version," Shrey notes.
Concern 3: App sends photos and videos to the government
Finding: There is no conclusive evidence that the app sends photos and videos to government servers, though it's technically possible.
Sanchar Saathi implements strong security practices to prevent interception of data stored on the phone or in transit. "The technical implementation shows genuine privacy-protective choices. The developers clearly thought about security," says Shrey, the cybersecurity engineer.
(With inputs from Aayushman Choudhary, Head of AI, NDTV's Product Team)
