Pathao ride-sharing app has been storing details about Bangladeshis' contacts from their phones. Photo: Facebook
Pathao ride-sharing app has been storing details about Bangladeshis' contacts from their phones. Photo: Facebook

Bangladeshi ride-sharing app Pathao, which has enjoyed a meteoric rise over the past few years, has been accused of logging and storing private data – SMS and contact lists – without users’ knowledge.

The first revelation about the improper fetching and storing of SMS and contact list data came to light through a young Dhaka-based systems analyst named Ashik Ishtiaque Emon. He demonstrated on his personal website how Pathao is “stealing information and storing it in a server” without getting any “informed consent” from its users.

Emon’s demonstration went viral on social media and within a day, the company released an update and changed its apps installation policy.

But cybersecurity and legal experts said what Pathao had done could embroil the US$100-million company in a potential billion-dollar lawsuit for security breaches if the company had been based in the West instead of the South Asian nation.

Firm accessed data on user’s contacts

“As a ride-sharing app, Pathao needs to access the location of the user, but doesn’t need to have access to its contacts or SMS service. Yet, Pathao, at the time of installation, adds those provisions,” Emon said.

“When a person installs Pathao’s app, he or she usually doesn’t read the full agreement or conditions of installing the app. Besides, a general user has a lack of understanding of the significance of allowing an app to get access to other apps and functionalities of the smartphone.”

“Pathao took that chance and accessed the contacts list and SMS service of a user. So when a user installs the app of Pathao, he or she unknowingly gives Pathao access to his or her contacts list and SMS service,” he said.

Emon said other ride-sharing services like the global giant Uber only ask for access to the user’s location at the time of installation.

Interestingly, after Emon’s demonstration went viral on social media, Pathao released a new update to its app. In this, it now only asks for permission to access the location, not the contacts list or SMS service.

Pathao’s defense

Pathao, along with the update, released a statement to the media that stated its position. The company acknowledged they had been collecting SMS and contact lists from users but claimed that the information is safe and secure with them.

The statement said: “Envious of Pathao’s popularity, some people are spreading wrong, misleading and false information through social media. We want to say it with certainty and resolutely that Pathao ensures the maximum protection and security of information of its driver and users. All the information of customers is safe and secured with us. Pathao does not wrongfully collect someone’s personal information without permission so the question of using that information cannot even arise.

“Pathao adheres to the same rules and regulations followed by international and domestic technology-based organizations to collect the information in order to provide the desired service to their customers,” it said.

The statement was signed by Ahmed Fahad, vice-president of Pathao.  When contacted, Fahad declined to answer any further queries.

Major security breach

Cybersecurity expert Hasib Muammar Rashid said the fact that not all users are aware of — or is willing to find out — conditions stipulated in the permissions of apps before they allow access is a cause for concern among security and privacy advocates.

He said if a social media app accessed a person’s SMS and contact list, the entire process would have raised eyebrows but would have been understandable. But for a ride-hailing service, this unjustified fetching and storing of data was totally uncalled for and violated all ethical practices.

“Neglecting little things like checking the permissions or data that an app requires could have huge repercussions in this world where data is becoming the most valuable asset,” Hasib said.

Barrister Sarkar Anik R Haque said Pathao’s action could have drawn a billion-dollar lawsuit if it were based in the West. “In Bangladesh, they took a chance, given the people’s naivety and lack of knowledge.”

He said data like this had become a big asset in the modern era. “Such personal information comprises valuable assets as consumer-driven companies are ready to spend millions of dollars for such information. This is a serious issue. Mass awareness should be created about this.”

Alimuzzaman, head of the Cyber Security Division of the Dhaka Metropolitan Police (DMP), said the division was investigating the matter. “If evidence of personal data theft is found against Pathao, we will take appropriate measures,” he warned.

How Pathao accessed sensitive information

Emon explained to Asia Times how the ride-sharing app accessed sensitive information stored in its users’ smartphones.

“To see what Pathao sends to remote servers, first I need to monitor my Android smartphone’s web traffic,” he said. “To achieve that I would need to pass my smartphone’s web traffic through my computer, which runs a MITM (Man In The Middle) proxy.”

The MITM proxy technology works by pretending to be the server to the client, and pretending to be the client to the server, while it actually sits in the middle decoding traffic from both sides.

Emon used Burpsuite as a MITM tool, and installed Burpsuit’s root CA (certificate authority) as the phone’s trusted CA. “This allowed me to decipher all SSL (Secure Sockets Layer) traffic originating from my smartphone and intercept these as unencrypted HTTP requests.”

“Since I was on a LAN, all I had to do next was to use my computer’s LAN IP as a proxy for my smartphone’s wi-fi. So now my smartphone has to go through my computer’s MITM setup before sending anything to the internet.”

By using the set-up, Emon demonstrated the lifecycle of a user’s SMS and showed that when a person who has Pathao’s app installed in his or her phone sends an SMS, it goes to Pathao’s server, The server of Pathao stores it along with the information about the user’s contact list.

Explaining the process behind it, Emon said: “In Android devices, ‘Permissions’ during the installation is where app developers outline the kind of personal information their apps get from their users, as well as the methods by which they get this information. The user grants these permissions to make them function properly. In turn, these apps gain insights into the user’s device from browsing behavior, media use, social media habits and personal networks.”