Arrka Privacy Study reveals app companies in India send user data abroad


Arrka Privacy tested 100 Indian applications and associated websites - across categories finance, travel, entertainment and communication to understand user data and privacy concerns.

With India being the fastest growing digital population and the second largest digital nation is the world, great opportunities come with even greater risks - user data protection and privacy being the key ones. While Reliance Jio has played an exceptional role in making internet available in most corners of the country, the absence of a data protection and privacy law in India only increases this risk of cyber security.

The second edition of the Arrka Privacy Study on 'State of Data Privacy of Mobile Apps from India’ by Arrka, an enterprise cyber security and user data privacy platforms company, was unveiled at the security summit held by Nasscom-Data Security Council of India (DSCI).

Arrka Privacy tested 100 Indian applications - available on both Android and iOS, and their associated websites - across categories finance, travel, entertainment and communication for privacy.

Ninety apps have more than one million downloads in Android Play Story and 58 percent of the websites were chosen from the list of Top 500 Indian websites, based on Alexa rating.

The focus of the study were fourfold -

  • What personal user data does the app or website have access to?
  • Which third parties are personal data being shared with and how much of this crosses geographical boundaries?
  • How secure is the handling of personal data?
  • How transparent has the platform been to its users, regarding the privacy practices.

Access to personal user data

The study revealed that some Indian Android apps seek as much as 45 percent higher permissions from users, when compared to their global counterparts.

Concerning access, 50 percent of the Android apps have access to camera, 69 percent have access to user's precise location and 79 percent have access to device ID and call details. For iOS, 79 percent have access to camera, 88 percent have access to photos and 72 percent of the apps have access to user's location.

The findings of the study revealed that the top dangerous permissions accessed include - allowing writing to the user's external storage (88 percent), having access to device ID and call details (79 percent), having access to details about user's email and social media accounts (66 percent) and having access to the user's exact location (69 percent).

The average number of dangerous permissions per customer is eight. Apps under categories communication (16 percent), mobile wallet apps (11.7 percent), shopping apps (10.3 percent) and medical apps (10.3 percent) use the most dangerous permissions.

Applications under categories like games, sports, news and magazines and entertainment streaming use the least dangerous permissions.

Children safety

One serious finding of this study was related to children's safety.

Arrka Study particularly studied children's Android apps from India, beyond the 100 base apps. Apps from each category mentioned in Google Play was studied.

The study revealed that 29 percent of apps took no permissions at all. While 29 percent had access to location and phone details, 71 percent had access to storage. All the apps had links to other apps and, additionally, 71 percent of these apps contained in-app ads that were not child-friendly.

About 71 percent of the Indian apps for children had access to storage. Half of the permissions accessed by these apps are not even required for the app to function.

And 43 percent of children apps enabled in-app purchases without any adult consent.

Third-party tracking

As many as 96 percent of the selected websites use third party-cookies and 73 percent of them use e-tags. Google is leading the race by being the largest third-party organisation, comprising 30 to 58 percent of instances across channels, while Facebook comes second.

The study also revealed that as many as 99 percent of the Android apps and 94 percent iOS apps shared user data with one or more third parties for advertising and analytics. Most of the user data that these apps and websites share with third parties, end up going to global tech firms - Google and Facebook.

Almost all the applications sent user data across the borders and 41 percent of the websites do not encode or encrypt username and password at the client side prior to transmission.

The US is the primary destination of all the data being transferred outside India, with more than 81 to 97 percent of the traffic being directed there, followed by Ireland, Singapore and France. "This is probably owing to the fact that most of the third-party advertisers and analytics companies are based out of the US," reads the findings of the study.

The study concluded that increased awareness combined with regulatory and legal pushes, adoption and maturity of privacy can go up in India.