BENGALURU, Karnataka—An Indian start-up that few outside the fintech industry would have heard of embedded tracking software inside popular apps, including one that streamed Sai Baba stories and another that streamed Ilaiyaraaja songs, to scoop up sensitive user data including GPS locations, and business SMSes from ecommerce sites and banks to monitor spending activity, personal contacts, and much more, HuffPost India has found.
CreditVidya, a Hyderabad-based fin-tech company, ran this snooping code (technically known as a Software Development Kit or SDK) for several months in 2017 until a new version of Google’s Android operating system made it harder to scrape such data. The data, scooped up from users, was used to power CreditVidya’s self-learning algorithms that help lending companies determine the credit-worthiness of loan applicants. (Fin-tech is industry speak for financial technology, a fast growing category of software firms).
SDKs like the one developed by CreditVidya are called “Middleware”. If you assume an app is like a machine, middleware would be a component or a cog in that machine. As apps grow more complex, developers often rely on middleware developed by third parties, increasing the risk that user data is scraped and sold on for a fee.
Upon installing these apps, many of which were developed by a third party app developer call Winjit, users would have been asked for access permissions that are increasingly common and intrusive, but would have had no idea that their personal data was being scraped and sold further in a manner that could affect their credit-worthiness.
“Even though there might not be proper notice / informed consent, at least it’s understandable that lending apps that user uses is downloaded consciously and some night have knowledge on the fact that app,” said Srikanth L., a contributor to Cashless...