Fact Check : Fat Bidin Claims On MySejahtera Snooping!

Fact Check : Fat Bidin Claims On MySejahtera Snooping!

Wan Azlee, who goes by Fat Bidin, claims that MySejahtera is mining private information from our phones.

Find out what he discovered, and what the FACTS really are!

Updated @ 2020-12-03 : Added MySejahtera version history for more context.

Updated @ 2020-12-01 : Added more information, including how to disable permissions in Android and iOS for the paranoid.

Originally posted @ 2020-11-30

 

Fat Bidin : MySejahtera Is Mining Information From Our Phones!

In Episode 41 of Fat Bidin Knows Everything, Wan Azlee claimed (between mouthfuls of oats) that MySejahtera is mining a wealth of private information from our phones.

His evidence? A report by the Exodus Privacy website, stating that MySejahtera has 6 trackers and 24 permissions.

He went through the 24 permissions and made these concerning observations about MySejahtera :

  • it can take control of your phone and pair it with your Bluetooth devices
  • directly call phone numbers
  • find accounts on your phone
  • read your contacts in your phone
  • read the contents of your SD card
  • modify or delete the contents of your SD card
  • prevent your phone from sleeping
  • modify your contacts

Phwoarrrr…. shocking, isn’t it? Wan Azlee / Fat Bidin then asks the Malaysia Ministry of Health to be transparent and tell us what’s going on.

Well, let’s take a closer look at his claims…

 

Fat Bidin On MySejahtera Is Mining Our Information : A Fact Check

Wan Azlee is very articulate, but Fat Bidin honestly doesn’t quite know everything… and here’s why.

Fact #1 : That MySejahtera Version Was From April 2020

Fat Bidin posted his video on 24 November 2020, and we noticed that he was checking an old version of MySejahtera – version 1.0.10, that was posted way back in April 2020.

For the record, there has been FOURTEEN UPDATES since that version :

  • 1.0.11 : 23 April 2020
  • 1.0.12 : 28 April 2020
  • 1.0.13 : 3 May 2020
  • 1.0.15 : 4 May 2020
  • 1.0.16 : 13 May 2020
  • 1.0.17 : 23 May 2020
  • 1.0.18 : 30 May 2020
  • 1.0.19 : 3 June 2020
  • 1.0.20 : 28 June 2020
  • 1.0.21 : 30 June 2020
  • 1.0.22 : 21 July 2020
  • 1.0.23 : 29 July 2020
  • 1.0.24 : 11 August 2020
  • 1.0.25 : 5 November 2020

The latest version of MySejahtera – version 1.0.25 –  was released on 5 November 2020 – 19 days before Wan Azlee posted his video.

Why on Earth would he focus on a 6 month-old version of the app, when there is a much newer version?

Fact #2 : Exodus Posted Their Latest MySejahtera Report On 20 November 2020

Exodus posted their latest report on the latest version of MySejahtera (version 1.0.25) on 20 November 2020 at 10:47 am (as you can see in this screenshot).

That was 4 days before Wan Azlee posted his video, so why didn’t he use this new report instead?

Fact #3 : MySejahtera Has 1 Tracker + 14 Permissions According To Exodus

According to the November 20 Exodus report, MySejahtera has 1 tracker – Google Firebase Analytics, and 14 permissions, of which the highlighted ones were :

  • ACCESS_COARSE_LOCATION : access approximate location (network-based)
  • ACCESS_FINE_LOCATION : access precise location (GPS and network-based)
  • CALL_PHONE : directly call phone numbers
  • CAMERA : take pictures and videos
  • READ_EXTERNAL_STORAGE : read the contents of your SD card
  • WRITE_EXTERNAL_STORAGE : modify or delete the contents of your SD card

We immediately noticed that several controversial permissions are no longer in it :

  • GET_ACCOUNTS : find accounts on the device
  • READ_CONTACTS : read your contacts
  • WRITE_CONTACTS : modify your contacts

So if you are worried that MySejahtera is reading your contacts or modifying them, just UPDATE it to the latest version 1.0.25!

Fact #4 : Actual Permissions Are Fewer

When we checked MySejahtera 1.0.25 as installed in our phone, we found that it actually asked for and used only 11 permissions, instead of 14 as reported by Exodus.

The report also offered a bit more context about those permissions. For instance, location data is only made available when you are actively using the app.

That’s because the location data is used by MySejahtera for its Hotspot Tracker and Locate Health Screening Facility features.

In your phone, you can tap on them for more information on what they allow the app to do.

Fact #5 : Apps Need To Read, Modify + Delete Their Own Data

The permission to read, modify and delete content on our phone may seem ridiculous, but it is a necessity for most apps.

Unless the apps is merely a container for a website or web service, it needs to store data, and modify or delete it when necessary.

Fact #6 : Access To External / SD Card Is Necessary

Most developers will also ask for the permission to read, modify and delete content to the (micro) SD card, because of Adoptable Storage.

Adoptable Storage is a feature that lets smartphones use external storage (like a microSD card) as if it is part of their internal storage.

When a microSD card is used this way, apps like MySejahtera can be installed on it. Therefore, it would require permission to read, modify and delete its own data on the external storage card.

Fact #7 : Android Restricts Data Snooping

Apps that have access to read / modify / write external storage are allowed to access files from other apps. However, this is limited to only these three media collections :

  • MediaStore.Images
  • MediaStore.Video
  • MediaStore.Audio

MySejahtera, or any other app with similar permissions, cannot read / modify / delete data outside of those three media storage locations.

Fact #8 : MySejahtera Has A Privacy Policy

Like all other Android and iOS apps, MySejahtera has a privacy policy, where it is stated clearly that

MySejahtera is owned and operated by the Government of Malaysia. It is administrated by the Ministry of Health (MOH) and assisted by the National Security Council (NSC) and the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU). The Government assures that the collection of your personal information is align with Personal Data Protection Act 2010 (Act 709).

The app will not record user’s Personal Data except with the permission and voluntarily provided by the user. Information collected are used for monitoring and enforcement purposes by Government authorities in dealing with the COVID-19 pandemic. This information is not shared with other organizations for other purposes unless specifically stated.

Fact #9 : You Are Protected By PDPA 2010 (Act 709)

We are all protected by the Personal Data Protection Act 2010 (Act 709).

Anyone who is caught sharing our personal data without permission is be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

Fact #10 : You Can Disable Permissions

You can view and disable any permission that worries you :

Android

  1. Go to Settings > Apps >  MySejahtera > Permissions.
  2. Tap on the permission you don’t want, and select Deny.

Apple iOS

  1. Go to Settings > MySejahtera.
  2. Disable the permissions you don’t want.

But note that doing this will likely break some features in MySejahtera.

Fact #11 : Many Other Apps Are Worse For Your Privacy

When it comes to privacy, we have bigger fishes to fry. Take a look at how many trackers and permissions these four popular apps require.

They make MySejahtera look absolutely privacy-conscious!

 

Recommended Reading

Go Back To > Cybersecurity | SoftwareHome

 

Support Tech ARP!

If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Leave a Reply