Wan Azlee, who goes by Fat Bidin, claims that MySejahtera is mining private information from our phones.
Find out what he discovered, and what the FACTS really are!
Updated @ 2020-12-03 : Added MySejahtera version history for more context.
Updated @ 2020-12-01 : Added more information, including how to disable permissions in Android and iOS for the paranoid.
Originally posted @ 2020-11-30
Fat Bidin : MySejahtera Is Mining Information From Our Phones!
In Episode 41 of Fat Bidin Knows Everything, Wan Azlee claimed (between mouthfuls of oats) that MySejahtera is mining a wealth of private information from our phones.
His evidence? A report by the Exodus Privacy website, stating that MySejahtera has 6 trackers and 24 permissions.
He went through the 24 permissions and made these concerning observations about MySejahtera :
- it can take control of your phone and pair it with your Bluetooth devices
- directly call phone numbers
- find accounts on your phone
- read your contacts in your phone
- read the contents of your SD card
- modify or delete the contents of your SD card
- prevent your phone from sleeping
- modify your contacts
Phwoarrrr…. shocking, isn’t it? Wan Azlee / Fat Bidin then asks the Malaysia Ministry of Health to be transparent and tell us what’s going on.
Well, let’s take a closer look at his claims…
Fat Bidin On MySejahtera Is Mining Our Information : A Fact Check
Wan Azlee is very articulate, but Fat Bidin honestly doesn’t quite know everything… and here’s why.
Fact #1 : That MySejahtera Version Was From April 2020
Fat Bidin posted his video on 24 November 2020, and we noticed that he was checking an old version of MySejahtera – version 1.0.10, that was posted way back in April 2020.
For the record, there has been FOURTEEN UPDATES since that version :
- 1.0.11 : 23 April 2020
- 1.0.12 : 28 April 2020
- 1.0.13 : 3 May 2020
- 1.0.15 : 4 May 2020
- 1.0.16 : 13 May 2020
- 1.0.17 : 23 May 2020
- 1.0.18 : 30 May 2020
- 1.0.19 : 3 June 2020
- 1.0.20 : 28 June 2020
- 1.0.21 : 30 June 2020
- 1.0.22 : 21 July 2020
- 1.0.23 : 29 July 2020
- 1.0.24 : 11 August 2020
- 1.0.25 : 5 November 2020
The latest version of MySejahtera – version 1.0.25 – was released on 5 November 2020 – 19 days before Wan Azlee posted his video.
Why on Earth would he focus on a 6 month-old version of the app, when there is a much newer version?
Fact #2 : Exodus Posted Their Latest MySejahtera Report On 20 November 2020
Exodus posted their latest report on the latest version of MySejahtera (version 1.0.25) on 20 November 2020 at 10:47 am (as you can see in this screenshot).
That was 4 days before Wan Azlee posted his video, so why didn’t he use this new report instead?
Fact #3 : MySejahtera Has 1 Tracker + 14 Permissions According To Exodus
According to the November 20 Exodus report, MySejahtera has 1 tracker – Google Firebase Analytics, and 14 permissions, of which the highlighted ones were :
- ACCESS_COARSE_LOCATION : access approximate location (network-based)
- ACCESS_FINE_LOCATION : access precise location (GPS and network-based)
- CALL_PHONE : directly call phone numbers
- CAMERA : take pictures and videos
- READ_EXTERNAL_STORAGE : read the contents of your SD card
- WRITE_EXTERNAL_STORAGE : modify or delete the contents of your SD card
We immediately noticed that several controversial permissions are no longer in it :
- GET_ACCOUNTS : find accounts on the device
- READ_CONTACTS : read your contacts
- WRITE_CONTACTS : modify your contacts
So if you are worried that MySejahtera is reading your contacts or modifying them, just UPDATE it to the latest version 1.0.25!
Fact #4 : Actual Permissions Are Fewer
When we checked MySejahtera 1.0.25 as installed in our phone, we found that it actually asked for and used only 11 permissions, instead of 14 as reported by Exodus.
The report also offered a bit more context about those permissions. For instance, location data is only made available when you are actively using the app.
That’s because the location data is used by MySejahtera for its Hotspot Tracker and Locate Health Screening Facility features.
In your phone, you can tap on them for more information on what they allow the app to do.
Fact #5 : Apps Need To Read, Modify + Delete Their Own Data
The permission to read, modify and delete content on our phone may seem ridiculous, but it is a necessity for most apps.
Unless the apps is merely a container for a website or web service, it needs to store data, and modify or delete it when necessary.
Fact #6 : Access To External / SD Card Is Necessary
Most developers will also ask for the permission to read, modify and delete content to the (micro) SD card, because of Adoptable Storage.
Adoptable Storage is a feature that lets smartphones use external storage (like a microSD card) as if it is part of their internal storage.
When a microSD card is used this way, apps like MySejahtera can be installed on it. Therefore, it would require permission to read, modify and delete its own data on the external storage card.
Fact #7 : Android Restricts Data Snooping
Apps that have access to read / modify / write external storage are allowed to access files from other apps. However, this is limited to only these three media collections :
- MediaStore.Images
- MediaStore.Video
- MediaStore.Audio
MySejahtera, or any other app with similar permissions, cannot read / modify / delete data outside of those three media storage locations.
Fact #8 : MySejahtera Has A Privacy Policy
Like all other Android and iOS apps, MySejahtera has a privacy policy, where it is stated clearly that
MySejahtera is owned and operated by the Government of Malaysia. It is administrated by the Ministry of Health (MOH) and assisted by the National Security Council (NSC) and the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU). The Government assures that the collection of your personal information is align with Personal Data Protection Act 2010 (Act 709).
The app will not record user’s Personal Data except with the permission and voluntarily provided by the user. Information collected are used for monitoring and enforcement purposes by Government authorities in dealing with the COVID-19 pandemic. This information is not shared with other organizations for other purposes unless specifically stated.
Fact #9 : You Are Protected By PDPA 2010 (Act 709)
We are all protected by the Personal Data Protection Act 2010 (Act 709).
Anyone who is caught sharing our personal data without permission is be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Fact #10 : You Can Disable Permissions
You can view and disable any permission that worries you :
Android
- Go to Settings > Apps > MySejahtera > Permissions.
- Tap on the permission you don’t want, and select Deny.
Apple iOS
- Go to Settings > MySejahtera.
- Disable the permissions you don’t want.
But note that doing this will likely break some features in MySejahtera.
Fact #11 : Many Other Apps Are Worse For Your Privacy
When it comes to privacy, we have bigger fishes to fry. Take a look at how many trackers and permissions these four popular apps require.
They make MySejahtera look absolutely privacy-conscious!
Recommended Reading
- Fact Check : Tsunami Waves Hit Second Penang Bridge?
- Nobel laureate Tasuku Honjo confident US created COVID-19?
- Fact Check : Amazing Robot Dancers At Shanghai Disneyland!
- Maradona : Donald Trump Mistook Him For Madonna?
- Scott Morrison : Did He Mistake Maradona For Madonna?
- Fact Check : HKL Preparing For 3K COVID-19 Cases A Day?
- Fact Check : Foreign Workers With Pink COVID-19 Bracelets?
- Fact Check : Is There Pork In OLDTOWN Curry Mee?
- RM399 Laguna Redang 3D2N Holiday : Bait & Switch Scam?
- Is Gadget Radiation Killing Kids Forced To Study At Home?
- CMCO : No Special Seating Or Face Mask In Your Own Car!
- Was This Driver FINED For Letting His Wife Sit Next To Him?
- Latest MySejahtera SOP For Petrol Stations : To Scan Or Not?
- RM4K Fine For Family Of 4 At Restaurant During CMCO?
- Scan MySejahtera At Petrol Station, Or Get Fined RM1K?
- Fact Check : Empty Shops In Johor Bahru Due To COVID?
- Fact Check : Malaysian Airline System (MAS) In Liquidation?
- Fact Check: RM1K CMCO Fine For Sitting Side By Side In Car!
- Fact Check : Is China Using Coffee To Cure COVID-19?
- Did A Ringing Phone Cause This Gas Stove Explosion?
- Elbow Pit Slapping For Heart Attack : Does It Work?
- Fact Check : Does The LPG Gas Tank Pressure Test Work?
- Face Mask Guide : The RIGHT Way To Wear + Remove!
- Fact Check : Science Supports Pig As Haram With Proofs?
- Fact Check : Hand Sanitiser Catches Fire, Burns Woman!
- Higher RON Octane Rating Myth Debunked!
- Hand Sanitiser : Can It Set Your Car On Fire?
- Fact Check : Are There Two Sides To A Surgical Mask?
- COVID-19 : How To SAFELY Clean Your Mobile Devices!
- Face Mask vs COVID-19 : Should You Wear One?
Go Back To > Cybersecurity | Software | Home
Support Tech ARP!
If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!