Sanchar Saathi App Security Analysis: Forensic Investigation Reveals Limited Privacy Concerns

New Delhi:

Last week, controversy arose when the Centre instructed smartphone manufacturers to pre-install the Sanchar Saathi app, with Opposition parties claiming it could potentially monitor citizens. Although the directive has been retracted, questions persist about whether this application actually engages in surveillance.

To determine the truth, NDTV's Open-Source Intelligence (OSINT) team collaborated with cybersecurity engineer Aseem Shrey to perform a forensic examination of the app's Android 10 version, utilizing decompilation techniques commonly employed by developers and researchers.

The investigation covered 250 code directories and over 200 files. The results were subsequently verified by a cybersecurity professional and a Gurugram-based cybersecurity company, both preferring to remain unnamed.

The conclusion: In its current form, the app does not appear to conduct widespread surveillance.

Worries about potential monitoring arise from the permissions the app requests. While the iOS version seeks access to photos, files, and camera, the Android version asks for more permissions—though not unusually so. Popular applications like Google, Instagram, and X request similar or greater levels of access.

"Continuous background synchronization and the possibility of future over-the-air (OTA) updates mean that transparency and protections are vital for maintaining user confidence," explains Shrey, who founded ShipSec AI.

Fears versus Forensic Results

Let's examine what this app does in relation to the concerns raised.

Concern 1: Government can access call and SMS records

Finding: After registration, the app records information about incoming, missed, and rejected calls from the past 29 days, but not outgoing calls. This is consistent with one of the app's functions - reporting fraudulent calls.

Sanchar Saathi employs an Application Programming Interface (API) to transfer data from the user's device to government servers. While call logs are stored in the phone's RAM, the API transfers information from a database that only contains numbers reported by the user as fraud or scam calls. Data synchronizes every 15 minutes, meaning the app communicates with government servers 96 times daily.

Concern 2: App gathers IMEI numbers, which could be used to track users

Finding: On devices operating Android 10 and above, IMEI identifiers cannot be accessed by regular apps. Applications require "READ_PRIVILEGED_PHONE_STATE" permission from Google, which Sanchar Saathi lacks. Instead, it utilizes Android's built-in MediaDrm API, recommended by Google to avoid IMEI logging.

The app also functions on Android 9, where reading IMEI numbers is technically possible. "However, I didn't discover any API that accessed that capability in the current app version," Shrey notes.

Concern 3: App transmits photos and videos to the government

Finding: There is no definitive evidence that the app sends photos and videos to government servers, though it is technically feasible.

Sanchar Saathi implements robust security measures to prevent interception of data stored on the device or in transit. "The technical implementation demonstrates genuine privacy-protective choices. The developers clearly prioritized security," says Shrey, the cybersecurity engineer.

(With contributions from Aayushman Choudhary, Head of AI, NDTV's Product Team)