Frequent flier Haseeb Jafferi is a worried man. “All my Aadhaar details and flight history is on it even my food preferences as the boarding pass is scanned. Now I wonder how many spam advertisements I will see. Scared to think if my data can be misused,” says Mr. Jafferi about the DigiYatra app after he found the colour of the App change. “It was odd to see the colour of the app change but just now I got this message from a colleague saying it has been compromised,” says Mr. Jafferi who works for a private company and who deleted and uninstalled the app.
Touted as a game changer for check-in at Indian airports, this is not the first time the DigiYatra app has run into trouble. Privacy advocates have questioned its data storage policies and the leeway it has been given by the Ministry of Civil Aviation.
The information about the compromised app was available with DigiYatra much earlier. On March 27, the app owners tweeted: “Switch to the new Digi Yatra App with three simple steps:
Step-1: Please uninstall your old Digi Yatra App.
Step-2: Download and install the new Digi Yatra App.
Step-3: Recreate and save your credentials.
Available on iOS and Android.”
What the clarification did not reveal was that the app-maker DigiEvolve has been dropped. A media statement stated: “CEO of Digi Yatra Foundation also confirmed that Data Evolve has been completely removed from Digi Yatra ecosystem. No one has any access to any personal data of DY users including Digi Yatra Foundation.”
Normally, mobile app users have to upgrade the app whenever the app owners roll out a new iteration or find a glitch. The instruction to download a new app was a giveaway about data compromise.
The app maker made no reference to how its data was compromised. A twitter user @kingslyj pulled out the old app’s API and wrote: “The old app was communicating with the API endpoint at http://api-ssi.dataevolve.in /http://d-zxstcsa9j9.execute-api.ap-south-1.amazonaws.com. The new app communicates with http://api-prod.digiyatrafoundation.org. IOW all past versions of #DigiYatra app were sending passenger data to Dataevolve’s AWS servers.”
This flies in the face of clarification by the Civil Aviation Ministry given to Rajya Sabha member Saket Gokhale on January 24, 2024. “As you are aware, DigiYatra is a voluntary process for seamless and hassle free air travel which is purely voluntary Further, it is basically to be used through app and all data is stored in mobile of passenger. To facilitate passengers not having app installed but intend to use DigiYatra kiosk-based registration only for the day of travel is provided by airports,” says the letter written by Aviation Minister Jyotiraditya Scindia to Mr. Gokhale.
The dubious past of the Hyderabad-based makers of the app: DataEvolve was in public domain much earlier. DataEvolve’s another app for Andhra Pradesh has been offloaded and the State government had moved on to Tata Consultancy Services-owned Aponline Limited for criminal malfeasance by the app maker.
It began in October 2023 when the Traffic DSP of Tirupati Narsappa noticed a discrepancy between the penal amount levied on motorists violating rules and the money collected on the app developed by DataEvolve. “I noticed that there was difference in the money collected and the money deposited in the dashboard. In 20 days there was difference of ₹ 6 lakhs and I alerted my superiors about the fraud,” says Mr. Narsappa. The Andhra Pradesh police technical teams got involved and found that ₹36.53 crores missing and named the maker of the app Kommireddy Avinash as an accused. The app was functional from 2019 till it was shut down in 2023. Now the motorists in Andhra Pradesh use aptonline.in for paying the challans.
“There should have been a caveat about antecedents of the app makers. This is not there,” says privacy advocate Apar Gupta.
Incidentally, the security audit queries posed by CERT for Digi Yatra Foundation included: penetration testing to identify vulnerabilities, code review to check for security best practices and potential vulnerabilities, network security assessment to ensure data transmission is encrypted and secure, authentication and authorisation review to verify access controls, server security assessment to protect against common server-side attacks. It did not include background checks on the app maker.
