Daybreak - Using Swiggy, Zepto, or Cred? They have access to at least 150 apps on your phone
Episode Date: May 13, 2025In March this year, a software developer that goes by Pea Bee online published a blog rather ominously titled ‘Everyone knows all the apps on your phone’. He found that several Indian ap...p-based startups are flouting rules of Google Play—Android’s app store—to access people’s data. In particular, some apps use a workaround to scrutinise the names and usage patterns of other apps on people’s phones. In real time.Now, the fact that apps have a lot of your data may not be a surprise to you. We’ve been pretty cavalier about our data for some time now. Remember Digi Yatra? But the scary thing is that Indian companies are equally nonchalant about the user data they collect. The result? Data-security breaches have been on the rise. So what is a data conscious Indian customer to do? Tune in. If you have any thoughts or questions about this episode, send them to us as texts or voice notes on Daybreak’s WhatsApp at +918971108379. Daybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.
Transcript
Discussion (0)
Hi, this is Rohan Dharma Kumar.
If you've heard any of the Ken's podcasts, you've probably heard me, my interruptions, my analogies,
and my contrarian takes on most topics.
And you might rightly be wondering why am I interrupting this episode too.
It's for a special announcement.
For the last few months, I and Sita Ramon Ganesh, my colleague and the Ken's deputy editor,
have been working on an ambitious new podcast.
It's called Intermission.
We want to tell the secret sauce stories of India's greatest companies.
Stories of how they were born, how they fought to survive, how they build their organizations and culture,
how they manage to innovate and thrive over decades, and most importantly, how they're poised today.
To do that, Sita and I have been reading books, poring over reports, going through financial statements,
digging up archives, and talking to dozens of people.
And if that wasn't enough, we also decided to throw in video into the mix.
Yes, you heard that right.
Intermission has also had to find its footing in the world of multi-camera shoots in professional studios, laborious editing, and extensive post-production.
Sita and I are still reeling from the intensity of our first studio recording.
Intermission launches on March 23rd.
To get alert, as soon as we release our first video.
episode, please follow intermission on Spotify and Apple Podcasts or subscribe to the Ken's
YouTube channel. You can find all of the links at the ken.com slash I am. With that, back to your
episode. In March this year, a software developer that goes by PB Online published a blog
rather ominously titled, Everyone Knows All the Apps on Your Phone. So PB is a software
software developer based in India.
And software developers in India are, you know, from my understanding, like, many of them
are not very concerned with privacy, but a few of them are, and PB is one of them.
He was looking at what kind of app permissions, different apps on your phone had.
This is specific to Android phones.
And he found out that a lot of apps, especially from Indian app-based startups, were very
interested in finding out what other apps are installed on users' phones.
That's my colleague Abiramy.
Peeb told her over a phone call last month
that these startups were actively flouting Google Play's rules
to access people's data.
Now, this may sound extreme,
but essentially that means that that mobile phone
you're carrying around in your pocket every day?
Well, it's actually a data funnel spying on your every move.
For context, until up to 2020 or now, 2022,
Google Play, as per Google Play rules,
you know, apps had, like, you know, apps are basically even free reign to look at what other apps are on your phone for, like, various purposes.
But I think in around 2020, is when they stopped giving out these permissions willingly.
They were like, okay, you know, unless there is a specific reason why you need to, like, look at what other apps are on people's phones, you shouldn't be looking at these.
But many of these startups have figured out a workaround.
Despite Google's efforts, these startups, and by that I mean well-known companies like SWIFRs,
like Swiggy, Zepto and CRED
are still able to see a lot of the other apps and activities on your phone.
We'll get into how in a little while.
But before that, let's try and understand why.
What do they do with that data?
Profiling, because, you know, when you are an internet-based startup,
you need as much data about your users as possible.
So, you know, if you know what all apps are on someone else's phone,
you can have a fairly, like, solid picture of what kind of person they are.
Think about it.
Maybe you have a couple games like Candy Crush or Counterstrike on your phone.
Maybe you have some gambling apps.
Perhaps you're a frequent user of one particular kind of social media platform.
All that data helps these apps paint a picture of the sort of person that you are.
And more often than not, it's a fairly accurate picture.
Now, the fact that apps have a lot of your data may not be a surprise to you.
We've been pretty cavalier about our data for some time now.
Remember Digi Yatra?
Well, 9 million of us quite happily gave up our biometric details
just to make that airport rush a little more bearable.
About a year ago, a report by Price Waterhouse Coopers
revealed that a fifth of Indian consumers
weren't even aware of the Digital Personal Data Protection Act,
let alone their rights as consumers.
But the scary thing is that Indian companies are equally nonchalant
about the user data they're collecting.
And the result?
Well, data security breaches have been on the rise.
The latest one was the February breach at stockbroker Angel 1 that impacted nearly 8 million customers.
So, what is a data-conscious Indian customer to do?
Welcome to Daybreak, a business podcast from the Ken.
I'm your host Rahal Philippos and I don't chase the news cycle.
Instead, every day of the week, my colleague, Sikda Sharma and I
will come to you with one business story that is worth understanding
and worth your time.
Today is Tuesday, the 13th of May.
You know those nudges you get from time to time?
Swigil ask you if you're hungry and craving a burger
or a loan app like, say, credit B
will tell you to complete your half-finished application?
Well, the goal of these nudges is naturally
to improve customer experience and prevent cancellation.
But some of them are more targeted than others.
For instance, a deep tech VC Abhi spoke to
said many apps use.
datasets from the aggregator data.
AI, which was formerly known
as app Annie.
It does a lot of like
data analytics above
which are specific to
apps on like people's
phones. And what the VC
explained to me was that
I mean this is probably like more complex than this
but you know app Annie's like
tracking tools come bundle with certain
apps and
you know like they get installed and like
share the same permissions as this thing.
We are basically piggybacking on these apps.
And they can check, okay, like, you know,
how much time did you spend on this particular app?
How much time on that particular app?
And they collect this kind of data.
They aggregate it.
And, like, they group it by, you know, like, personality and, like, you know,
like, user profile.
Like, say, like, if you are a user between 18 and 25 who lives in Indranagar and, like,
you know, and, like, works a journalism job.
This is the kind of, like, thing that you are likely to do.
These other apps you are likely to actually.
for most periods of time.
And they can bundle up this data and sell it to people who want to buy it,
which in many cases might be, you know, like startups who want to like understand the kind
of profiles and maybe like, you know, use this information to target people in these areas more
specifically.
So, hypothetically, a platform like data.
data.
AI could potentially go to say Swiggy and tell them that people in a particular demographic,
like 19 to 25, are spending far more time.
on Zomato.
Swiggy can then figure out
how to double down
on that particular
user base.
And that's not all.
A lot of apps
themselves
harvest competitors
data from you.
For instance,
if you sign up
for Zepto postpaid,
the app will ask you
for permission
to read your bank's
SMS to you,
apparently to check
if you're eligible
for the plan.
But in the process,
P.B told Abi
that they also
read messages
from all their major
competitors,
including the likes of
Swiggy,
Zomato,
Blinket,
Big Basket and FlipCart.
It's very grey.
I think, like, the SMS permission, for instance,
like, is something that Zepter was originally supposed to use for, like, you know,
say, like, reading OTPs off of your bank providers, like, this thing, for instance.
Or checking, like, which all, like, you know, banks or, like, which all, like, financial apps,
like, are sending you SMS.
But, you know, along with that, they have just, like, you know, put in, like, Blinket and Swiggy
and all of these other guys that are the competitors.
Just to, just for them to know how much you're wrong.
ordering from them.
Since 2022, Google has expressly forbidden companies from seeing other installed apps on your phone
unless it's absolutely essential to an app-based startup's core functionality.
But like Abi mentioned, startups have been rampantly abusing this provision.
Peeb said one way they do it is by individually listing out every app on a user's phone that
they want to check for.
And there's more.
Stay tuned.
Peeb made an interesting point in his blog post back in March.
He found that Swiggy in particular
wasn't just harvesting data from consumers
but also from the gig workers that it was employing.
Gig workers are obviously the most like exposed
because you know,
um,
gig worker apps harvest like data
that is different from those who are consuming it
because, you know, you look for competitors apps.
Like if you are a Swiggy delivery driver
and you have the Swiggy delivery driver app,
they'll look for like, you know, Zeptos,
they look for blankets,
they'll look for porter, they'll look for Uber and Nola and like Rapido and all of these other
like this thing to mainly to understand like you know which all other like competitor like apps
these guys are working for.
It'll also check to see if they have personal finance or loan apps on their phone to understand who is in debt.
It'll also check for gambling apps like Rami King to assess who's likely to go into debt.
Meanwhile, the consumer facing app harvests data from 154 different apps on a user's phone.
including messaging apps like WhatsApp and Discord,
travel apps like Make My Trip Indigo and IRCTC
Rale, and even FinTech apps like CRED and PtM.
It even checks for Microsoft Teams and Slack.
Do you see where I'm going with this?
There is a very real class divide.
It's very intrusive.
Like, you know, it's basically these apps are trying to pry into like the lives of gig workers.
And we already know how a bunch of these like startup, app-based startups,
are very inconsiderate of their gig workers, right?
So you can kind of like look at the, you know, software side of it, the tech side of it,
as well as like the real life side of it and kind of put together this picture of how these guys want to understand.
You know, like how these guys want to like basically exploit their workers in whatever way they can.
BB also raised another pretty significant question.
How is knowing whether I have the Xbox or PlayStation
an app installed on my phone essential to an app like Swiggyzcore functionality.
It isn't just food delivery apps either.
Even FinTech apps are gathering as much data as they can while running in the background.
Yes, sure, regulated fintech apps have far more restrictions on what data they use,
but unregulated apps use data from a variety of sources and then make their own assumptions
based on them.
A former employee at a digital lending platform recalled how in the lender's earlier days,
when it mainly provided loans to college students.
It would check if they had games like Counter Strike installed in their devices.
They would usually refuse loans to students with too many gaming apps.
Why? Because that meant that they were unserious.
The former employee said many unregulated loan apps still do this.
And here's the other thing.
Most of these checks are only done on Android phones.
If you look at the divide between the upper middle class and the ultra rich, a lot of people, I mean, like, the divide here is that if you are an Android user, you are much more likely to have these, like, data privacy violations happen to you than if you're an iPhone user.
Because iPhones are simply, like, you know, more privacy focused.
But they're also much more expensive.
So if you are an iPhone user, you're automatically shielded from, like, a lot of this.
In fact, like, there isn't even like an iPhone version of a lot of these gig worker apps
because they straight up don't assume that gig workers can afford like iPhones.
And, yeah, if you look at app-panny statistics, if you look at data.coma statistics,
like 90% of the data that they have collected comes from Android phones and only 10% comes from Apple phones.
So, yeah, like, again, three levels of, like, privacy.
And if you are, like, rich, you can, like, avoid a lot of these by straight up, like, you know,
shielding yourself from being protected in various ways.
It's like, but if you are like a gig worker,
you can't like really defend yourself from a lot of this.
Daybreak is produced from the newsroom of the Ken
India's first subscriber-focused business news platform.
What you're listening to is just a small sample of our subscriber-only offerings.
A full subscription unlocks daily long-form feature stories,
newsletters and podcast extras.
Head to the Ken.com and click on the red subscribe button
on the top of the website.
Today's episode was hosted by Rahil Filippo's
produced by me, Snikda Sharma,
and edited by Rajiv Sien.