Reliance Jio Chat Compromises User Security, Claims a Hackers' Collective

Lack of encryption could lead to mass surveillance, says Anonymous India.

On June 12, Friday, Reliance India Limited (RIL) held its 41st Annual General Meeting (AGM), where the company's chairman, Mukesh Ambani, announced the roadmap of its much-talked about 4G services.

RIL's telecommunication subsidiary Reliance Jio, which will roll out the service, plans to cover 80 per cent of India's population by the end of this year. According to notes of the AGM, Reliance Jio intends to have complete national coverage within the next three years.

Although, this was the first official communication on part of the company about its expansion strategy, Reliance Jio had already launched an instant messaging and calling application called Reliance Jio Chat "on a pilot basis" two months ago. Ambani, in his keynote address in the AGM, described it as "a powerful communication application that integrates chat, voice, video calling, conferencing, file sharing, photo sharing and much more in a single application". Ambani also pointed out the fact that the app has seen more than 1 million downloads in these two months across Google Play Store and iTunes.

While the numbers suggest that the company has got an early edge in a highly competitive market, with its own over-the-top service (Jio Chat), an anonymous hackers' collective, Anonymous India, has raised serious questions about the app's security features.

Anonymous India is the same group, which had claimed responsibility for bringing down the Telecom Regulatory Authority of India's official website, following the regulatory body's public release of email IDs from which responses were sent on net neutrality.

According to the group, there is no encryption of users' personal data in the application.

The group also claims that the Jio Chat uses a Chinese mapping service, Amap, instead of Google Maps, the industry standard – which too, according to Anonymous India, is not encrypted. The lack of encryption, the group claims, could lead to mass surveillance.

Speaking to Newslaundry, the group said its reverse engineering of the app also proved that the app is hosted on a Chinese server. Incidentally, Reliance, in its feedback to TRAI in April this year, had advocated the case of OTTs setting up servers in India.

"We don't know why Reliance is using Amap and not Google, but what we do know is that the app is sending data over unencrypted network," claimed a member of the group. The member said the group's dissection of the app proved that the app has a bunch of URLs that point to domain names belonging to a Chinese company. "Which means they are sending data to a Chinese host," the member alleged. Anonymous India asserts that this could make Indian users vulnerable to Chinese hackers.

Sunil Abraham, executive director of the Centre for Internet and Society, said the first allegation that the user data is not encrypted, if true, is a "serious one with terrible consequences for privacy and security". "The second allegation that the application is hosted on a foreign server and uses foreign map services is still very important but there is very little that can be done by it – this is because most applications used by Indians are hosted on foreign servers and use foreign mappings services," he said. Abraham stated that the situation could only be addressed when there are indigenous competitors offering similar services.

Nikhil Pahwa, editor of Medianama, said that Telecom Service Providers (TSPs) should be allowed to have a server wherever they want, but all user communication should always be encrypted. "Businesses should be allowed to set up their servers anywhere in the world as that leads to global competition. Which works for the consumer as it leads to reduction of prices," he said. Pahwa added that TSPs should operate in a matter that benefits the public and the exceptions should not dictate the norm.

Shubhamangala Sunil, cyber security expert and founder chairperson of the Bangalore based Cyber Security Response Team, told Newslaundry that while most OTTs are often compromised in some way or the other, Reliance Jio's chat application seemed particularly vulnerable with a whole range of loopholes. "Even WhatsApp is not the most secure, but Reliance Jio chat does not seem to have even the basic security system in place," she commented.

When we contacted the Indian Computer Emergency Response Team (CERT), the national nodal agency that is supposed to "respond to computer security incidents as and when they occur", we kept getting redirected to a slew of similar sounding numbers – the owners of all of which, we were told, in a meeting.

It has been reported that Reliance Jio is in discussion with Chinese mobile device makers for bundling their products with its 4G services.

Reliance, however, refutes all the allegations. Their answers to our queries have been produced verbatim below.

1. Is the app hosted on a Chinese server?

No, the application is hosted on servers owned by and installed in Reliance Jio data centers in India.

2. If yes, isn't that in conflict with the position you took in front of TRAI – where you said servers should be based inside the country, citing national security?

As the app is entirely hosted inside India, the issue of conflict does not arise.

3. Does the app use a Chinese mapping service – Amap?

Since the app is planned as a global application and China does not support Google Maps, the app includes use of Chinese map service only when the user is in China. In rest of the world it uses Google's map service. This is standard practice for similar applications. (This can be checked by anyone using the app in India or Globally except China, by using 'share location' feature.)

4. If yes, why? Why does it not use Google's mapping service?

Already answered.

5. Is the user data on the app encrypted?

Yes.

6. If yes, what encryption system is being used?

User data is exchanged using a controlled binary encoded protocol. In addition, in the new upgrade that is being released as part of continuous enhancement, standard AES encryption is implemented.

Note: This is an updated version of the story with Reliance's response.