App can be instructed by server to silently upload all stored bluetooth/location data

Question

App can be instructed by server to silently upload all stored bluetooth/location data

Opened this issue 4 years ago · 0 comments

Upon launch the app makes a request to:

fp.swaraksha.gov.in/api/v1/users/status

The response is json and if the "p" key value is 1 then the app responds by silently uploading all of the stored bluetooth/location data to the server. This occurs without notifying the user or asking for their consent. We have confirmed that this functionality is operational and uploads do indeed take place. The relevant code is in the checkStatus() function within file CorUtility.kt. We recommend that this functionality be disabled as a matter of urgency - silent uploads of sensitive data are wholly inappropriate.