Hasty Briefsbeta

Decompiling Sanchar Saathi: Code Review of India's New Mandatory App

9 days ago
https://onlinetinker.com/blog/sanchar-saathi-security-analysis
Copy Link
  • #security
  • #privacy
  • #surveillance
  • The Sanchar Saathi app is a government utility for device verification and fraud reporting.
  • Critical finding: The app has full access to SMS body content and call logs, including contact names.
  • High risk: Uses MediaDrm UUID for persistent device tracking that survives factory resets.
  • Positive aspect: Implements SQLCipher AES-256 encryption for local data storage.
  • Medium risk: No certificate pinning, making it vulnerable to man-in-the-middle attacks.
  • Low risk: Comprehensive root and tamper detection mechanisms.
  • Data collected includes SMS content, call logs with names, persistent device ID, and SIM card info.
  • The app is safe for intended use but requires extensive permissions with significant privacy implications.
  • Recommendations: Grant permissions only when needed, review permissions regularly, and understand data collection scope.
  • Final verdict: Legitimate but with extensive surveillance capabilities that could be misused.
AboutLogin