What does Truecaller know about me

IT security | Data protection | Hacking ➡ microblog

A few days ago I briefly reported about possible data protection problems with the Truecaller dialer app. To this day, the manufacturer has not responded to a hint. You can read how the app handles sensitive data in the app review on mobilprüf.de: Truecaller: Nothing for users with privacy.

Abstract:

The following points are much more problematic:

  • In the app, users can tag phone numbers from the address book or the call list and enter names for unknown numbers. Anyone who does this loads the contact and their name into the Truecaller database and makes them available to all other users. If you don't want that, you have to change an attitude. Firstly, this contradicts the principle of “privacy by default” and the process is so confusing that you don't know exactly when a contact will be uploaded and when not.
  • Facebook receives data from the app, including the advertising ID. The data protection declaration refers to third-party providers, but does not name Facebook.
  • The app transmits your own telephone number before you have given your consent.

I am adding a (processed) data recording (version 9.4.10 of the app). The following personal data is transmitted to Truecaller even before consent is given to the data protection declaration of the service:

buildVersion: 10 store: GOOGLE_PLAY (installation details, where the app comes from) device_id: ca20962304918a5d - unique Android device ID language: de manufacturer: Xiaomi model: Redmi Note 4 osName: Android osVersion: 7.1.2 SIM card serial number: 8249276132935118291fIMSI: 262074150723798 MCC: 262 MNC: 7 Operator: UnityMedia phoneNumber: 1764xxxxxx - (the phone number) [...]

The phone number may still make sense, but the serial number of the SIM card, the unique Android device ID and the IMSI number? Is this really information that is necessary to provide the service? I have my doubts - especially since the transmission takes place before the user has consented to the data protection declaration.

My tip: uninstall.

Note

After the publication, Truecaller got in touch with me.
Truecaller app: transmission of sensitive data before consent June 29th, 2018Mike Kuketz
Help us to reach the donation goals! Participate ➡