Global reports of data theft by smartphone makers prompted govt vigilance

Studies showed how data from China-made phones went to home country, triggering India's probe

The recent directive of the government to smartphone companies, a majority of them from China, to share the security architecture they followed while making devices came after a few international reports cited instances of data theft by Chinese firms.

According to government sources, it became a matter of concern when a US-based security firm, Kryptowire, reported in November last year that a Chinese company named Shanghai AdUps has been sending massive data about phones and users to servers in China. AdUps runs software updates and comes pre-installed in many devices sourced from China.

Although the report cited security flaws on a global level, given the presence of Chinese brands in India, the government took some time to analyse the impact and then decided to take action by seeking security details.

According to the report, AdUps was sending data including phone number, location data, content of text messages, contact lists, call history with full telephone numbers, unique device identifiers including IMEI numbers, applications installed and used etc.

The company also bypassed the Android permission model, executed remote commands with escalated privileges, and was able to remotely reprogram the devices.

On a global level, AdUps runs software updates for over 700 million devices but the government felt a majority of them may be in India.

Similarly, a security flaw in the UC Browser was first reported by the University of Toronto. Now a government lab in Hyderabad is probing the Alibaba-owned firm for sending user details and location data to a remote server.

According to sources, UC Browser sends user and device identifiers such as IMSI (international mobile subscriber identity) and IMEI (international mobile equipment identity) numbers and location data to a remote server based in China.

However, UC Browser said it takes security and privacy very seriously and work hard to comply with local regulations of each region they operate in.

“It is common practice for IT companies to place servers all around the globe to provide better service to its users. We have strong measures in place to encrypt the data while we transmit it. It is also standard industry practice to collect user information and data in necessary scenarios to provide users with localised services. We take necessary authorisation from users to collect this data,” the company said in a statement.

The government has already sent notices to about 30 smartphone companies to share details about security practices while making devices. The companies have time till August 28 to send their comments.

Officials in the Ministry of Electronics and Information Technology said India aims to strengthen and secure its cyberspace and digital infrastructure, more so in a scenario when most of the firms making smartphones in India have their servers abroad. A majority of these firms are Chinese, which either sell directly or provide parts to Indian manufacturers. There are original equipment manufacturers (OEMs), too, serving Indian firms.