Mint went to the Google Play Store and checked what permissions 16 popular stockbroking apps request from Android users. What we found is that different brokerages ask for different kinds – and numbers – of permissions.
Consider Angel One, India’s third-largest stockbroker by active clients. The app asks for permission to read the user’s contact list, and to know which other apps are installed on your phone. Such access, which can be used for various purposes (for instance, antivirus apps need to know which other apps are installed on the phone so it can scan them), is hidden behind technical lingo – ‘query all packages’. The Angel One app has been downloaded more than five crore times from the Play Store. Incidentally, the HDFC Securities app also requests permission to ‘query all packages’. Angel One did not respond to the queries sent by Mint, while HDFC Securities declined to comment.
Also read | ITR filing for FY 2024-25: What has changed and what you need to know
For context, Google Play regards the list of installed apps on a user’s device as personal and sensitive information, and using this permission is only permitted if the app in question needs this for its core functionality. “If your app does not meet the requirements for acceptable use, you must remove it from your app’s manifest in order to comply with Play policy,” Google says on its support page for Android.
There’s another way apps can see which other apps a user has installed, according to Pea Bee, a blogger who digs up such info about Indian websites and apps. The blogger said some developers simply list the names of specific apps they wish to track in their manifest file. According to his research, a certain broking app has the names of 72 other apps in its manifest file. A manifest file is like a blueprint for an app. It’s an XML file that tells the Android system everything it needs to know about an app before it can run any of the app’s code.
For clarity, none of these permissions (including contact access) are required to carry out stockbroking operations or, for that matter, opening an account.
The basics: Camera, microphone, location
Most apps ask for access to the camera, microphone and location since they are required to open an account. Apart from Zerodha, all other apps ask for camera and microphone access primarily for the onboarding process. Zerodha does not ask for these permissions as its onboards clients on the web and later gives them access to the app.
To be sure, users can opt out of these permissions after the KYC is completed, but cyber expert Smit Kotadiya said few people are tech-savvy enough to dig through the settings and disable these themselves.
Additional permissions
However, most brokers ask for more permissions than these. For instance, Share.Market by PhonePe asks for contact access, which it says is used “exclusively for the referral program, allowing users to easily identify and connect with friends they have invited”.
M-Stock by Mirae ask for access to your Google Calendar. This is optional and is for those who wish “to track critical economic events such as earnings calls, IPOs, trading holidays, etc.”
Bajaj Broking asks for access to ‘read audio files from shared storage’ and ‘read image files from shared storage’. The company did not reply to questions sent by Mint.
Also read: ₹10 lakh in tax by transferring pension fund to NPS”>This Pune resident saved ₹10 lakh in tax by transferring pension fund to NPS
Apps such as Groww also offer UPI integration, and ask for camera and SMS access for payment functionality. A camera is required if a user wants to scan QR codes, while SMS and telephone access are needed to comply with NPCI regulations.
Kotadiya said, “In India’s mobile-first financial ecosystem, trading apps are now essential, but they often request far more access than is necessary. Permissions like camera, microphone, location, storage, and contacts are commonly requested, even though the core function of trading apps—buying and selling stocks—rarely requires these.”
Angel One, Upstox, Fyers, ICICI Securities, Kotak Securities, HDFC Securities, Dhan, Sahi, Paytm Money and 5 Paisa did not reply to Mint’s queries.
What does Sebi say?
Yogesh Chande, a securities lawyer and a partner with Shardul Amarchand Mangaldas, said, “Sebi requires clients of stockbrokers to fill in certain details in the account opening form prescribed by Sebi and stock exchanges. The account opening form is a mandatory document and a client is required to familiarise himself/herself with all the provisions in it.”
However, “additional clauses or documents specified by a stockbroker are non-mandatory and can be obtained from the client subject to the terms and conditions accepted by the client,” Chande added.
“While the details provided by clients are to be kept confidential and cannot be shared with any person, a stockbroker is allowed to disclose information about his clients with any person only with the ‘express permission’ of the client – for example, to cross-sell,” he said.
Stricter rules for AMCs
The rules are stricter for asset management companies (AMCs). In November 2023, Sebi ordered an AMC to stop seeking access to users’ location and contacts via their apps, saying this violated guidelines by the Association of Mutual Funds in India (AMFI) sharing data and was against the spirit of investor privacy. Mint reported in October 2023 that Navi Mutual Fund restricted access to their app if users did not share their contacts and location.
“The practice of mandatorily seeking the permission of investors to access location and contact data on their device by a mobile application, which enables transactions in mutual fund units, does not comply with the letter and spirit of the said guidelines,” said Sebi in a letter to AMFI, which Mint has seen.
Shivaang Maheshwari, a lawyer who specialises in financial regulations, said, “The regulatory framework for AMCs has a more restrictive stance on the use of client data for cross-selling compared to stock brokers. For instance, Sebi expressly prohibits the sharing of user data between group entities managing multiple businesses or products, and also bars the cross-marketing of group company products using such data. No similar explicit restrictions apply to stock brokers, and they often share clients’ data with group companies.”
Data protection law in limbo
Sandeep Parekh, managing partner at Finsec Law Advisors, said, “Sebi probably hasn’t implemented privacy laws in the securities markets because the Digital Personal Data Protection (DPDP) Act and associated rules are yet to fully come into effect. (Though the law officially took effect in 2023, the rules are yet to be finalised, so it has not yet implemented.) Once this happens, the current free-for-all will stop. Intermediaries should be fully ready to implement the act and rules. Entities must seek user consent, limit data usage, and maintain data accuracy and security. Cross-selling and third-party sharing will be strictly on an informed consent basis and not an omnibus approval.”
Sebi did not reply to Mint’s emailed queries.
Sneaky tactics exploit ‘consent fatigue’
Isha Suri, an independent researcher and an AI and market power fellow at the European AI Society Fund, said under the DPDP Act, 2023, apps must follow a policy of data minimisation, meaning they should only request the bare minimum data that’s required for running the app.
She added that some apps also use underhanded tactics to get consent from users. These include things like dark patterns, constant pop-ups, and jargon to nudge users into providing certain permissions. “Companies know there is consent fatigue, and it remains to be seen how the data protection act deals with this once it comes into effect.”
How can such data be misused?
Kotadiya said, “The biggest risk with giving out personal data is that we never know what the owners of the apps are doing with it. While legitimate stock apps haven’t been directly tied to permission misuse, fraudulent one such as HiBox (which allegedly cheated Indian investors of ₹500 crore in 2024) and apps associated with ‘pig butchering’ scams have used excessive permissions to exploit users. Even trusted brokerages aren’t immune. Two big Indian stockbroking firm recent suffered data breaches, raising concerns about how collected data is secured.”
Also read: Worried about volatility? Here’s where to put your money in uncertain times.
Pea Bee added, “Data from installed apps can be used to profile users and analyse their behaviour to show targeted ads, implement dynamic pricing, or even set personal loan rates. In some cases, this data may also be sold to third-party data brokers.”
Babu Lal, a ‘digital advocate’ who exposes fraudulent apps on social media, said, app permissions are often necessary for core features, like sending an SMS to set up UPI, accessing the camera for online KYC, or uploading ID documents from the gallery. “Genuine developers typically request these permissions only to enable such functionality. But not all apps play fair. Some permissions are just ‘nice to have’, not essential. Before granting any, always ask yourself if it is truly needed,” he added.
How can you minimise your data exposure?
Unfortunately, Kotadiya said, not much can be done. He said while some permissions can be disabled, others can’t. He recommended that users switch from data-hungry apps to those that require minimal permissions.
Pea Bee said, “Data of installed apps can be accessed without the user’s permission. However it’s important to carefully review certain permissions, such as read SMS or read call logs, before installing an app. Some apps ask for permissions that are not necessary for their core functionality. Users should be cautious and only grant permissions that are clearly justified.”
