What exactly does Truecaller do with your data? A hacker’s deep dive

by | Dec 18, 2019

As online privacy concerns increase, when signing up for Internet services or installing mobile apps, assurances of the protection of a prospective user’s data are given. But what really happens when you click that “sign up” button is anyone’s guess.

Two months ago, the National Information Technology Development Agency (NITDA) opened an investigation into caller ID app, Truecaller, over possible privacy issues. It was observed that the app’s privacy policies for the European Union (EU) countries were relatively secure and distinctively different from what obtained for non-EU countries.

Apparently, some of the permissions and variety of data demanded of non-EU users by the call app are absent for Truecaller users in the EU; this is attributed to the enactment of the General Data Protection Regulation (GDPR).

A month later, while coming to terms with the details of NITDA’s investigation, a Truecaller user lodged a complaint stating that promotional messages had been sent to his contacts without his consent, losing him potentially huge business opportunities.

Advertisement

In both instances, Truecaller firmly asserted that it takes privacy issues seriously and that the app would never send promotional messages on its own.


Suggested Read: How Truecaller might have cost this Nigerian user over $13,000


What happens when you sign up for Truecaller?

Through the lens of a developer who goes by the name Angry Wizard, we decided to find out what happens to your data when you sign up for Truecaller.

According to Angry Wizard, when you register/create an account in Truecaller, all your device info is uploaded to their server as hinted in the app’s privacy policy and its permissions list. They include:

  • International mobile subscriber identity (IMSI) — normally sent from your mobile device to your service provider any time you put your SIM card in a phone
  • Operating System (OS)
  • Device ID
  • Network type, carrier, etc.

Angry Wizard also hints that a user’s full info is then uploaded to a third-party domain belonging to a company called CleverTap — a mobile marketing company located in Mountain View, California — that enables marketers to identify, engage, and retain user info in an automated process.

Screenshot 61

Clevertap info

He further insists that the server engages in a lot of unusual activity and comes in contact with lots of other third-party domains in the process.

But it gets more interesting

Not unlike the transportation of eggs, any information given when registering on a website should be transported safely and securely.

While uploading data to an external server without the user’s consent apparently violates Truecaller’s privacy policy, Angry wizard alleges that Truecaller uses a very unsafe method to upload this data.

Advertisement

“Your entire phone book, contacts, and information get uploaded to their servers. Oh! And it’s over GET,” he explains.

The two most popular methods of uploading data from a user’s computer to a website’s server are the GET and POST method.

The GET method is unsafe for transferring sensitive and confidential information like a user’s data, as anyone who knows what to look for can easily gain access. Hence, the POST method is always preferred.

Consequently, the developer points out, all your info can be accessed publicly by anyone with the technical know-how.

Truecaller data

Web response containing personal info for Truecaller

According to Angry Wizard, the information of over 30,000 contacts and names of spammers reported by Truecaller users are made public, requiring no authentication for anyone to access.

So we went searching

Seeking clarification, on December 3, 2019, we reached out to Truecaller’s Director of Communications, Kim Fai Kok, who insisted once more that no user content is sent to a third-party domain without the user’s consent.

He also refuted claims that Truecaller uploads details using GET and that the information could be accessed publicly.

“No user or spam data can be accessed by the public. Any verified Truecaller user can access other users’ public data, provided they know the phone number of the person, in accordance with our Terms of Use and Privacy Policy,” says Kok.

“The spam data is a community spam list, which is accessible to all our users and does not require the owner of the phone number to accept any terms,” he adds.

To double-check these claims, on December 5, we sent two mobile numbers to the Wizard: one of a Truecaller user, and the other belonging to a non-Truecaller user and surprisingly, he sent back URLs containing information of both numbers.

A day or two after, the links stopped working, so we briefly thought Truecaller had fixed the issue. But last week Friday, we received another link containing the same information from both numbers.

While Truecaller refuted all of Angry Wizard’s claims, our latter discovery has given us pause as we await the outcome of NITDA’s investigation.

For the geeks, a detailed explanation of Angry Wizard’s deep dive can be found here.

DON’T MISS OUT!
Techpoint Digest
A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day!
Stay Updated
Give it a try, you can unsubscribe anytime. Privacy Policy.
Senior Reporter at | Website

Writer and Narrator.  Tech, business and policy analysis is my daily bread.

Looking to chat? Catch up with me, @eruskkii, on Twitter or send a mail to emmanuel@techpoint.africa

Techpoint Build 2021 is here! Be part of the largest gathering of innovators, startup founders, thinkers, programmers, policymakers, and investors in West Africa. Register free now.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

I wasn’t expecting this

I wasn’t expecting this

Today on #TechpointDigest, @OnomeOneyibo discusses #WorldFoodDay, PaySika’s $350 pre-seed, and several other things tech.

DON’T MISS OUT!
Techpoint Digest
A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day!
Stay Updated
Give it a try, you can unsubscribe anytime. Privacy Policy.
close-link

Subscribe to Techpoint Digest!

A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day!

Please check your email to confirm your subscription.

Subscribe to Crypto Explorer

A monthly series featuring in-depth analysis on the cryptocurrency sector in Africa

Please check your email to confirm your subscription.

Subscribe to The Experts

A bi-weekly where tech career specialists take us on their journey from newbie to expert, and how they became successful in the industry.

Please check your email to confirm your subscription.

Subscribe to Founder's Table

A monthly series, where we catch up with founders in the startup ecosystem, learn about their failures, successes and a few tricks of the trade

Please check your email to confirm your subscription.

Copy link
Powered by Social Snap