Here’s something you need to be wary of. Flipkart’s new update for its app on Android, asks users to give it access to Contacts and SMS. While most of us would likely ignore this, it is something you should definitely take note of. We did, and we asked Flipkart about the same on Twitter. @Flipkartsupport’s response was less than satisfactory, as they kept repeating what is already mentioned on the Google Play page.
https://twitter.com/flipkartsupport/status/606366978022850560
https://twitter.com/flipkartsupport/status/606382228424171522
What's the big deal here?
According to Flipkart’s responses on Twitter, the app required permissions for SMS because it needs to automatically detect the OTP sent to your mobile number. This was the only convincing answer, already provided on the Google Play page. The company also says though that the Contacts access is needed in order to pre-fill information whenever required so that you type less. It mentions that Flipkart doesn’t access your other contacts. If you’re wondering what giving an app such permissions entails, check the screenshot below.
Now this is disturbing for two reasons. One, if Flipkart doesn’t intend to access your other contacts, it shouldn’t need to access your Contacts database. If you’re already a Flipkart member, you’ve provided the relevant details to the company already, meaning it has what it needs to ‘pre-fill information’. Also, if pre-filling is the only reason, then asking you to provide that information is a much better way than to access your contacts.
Secondly, Android’s current permissions system doesn’t allow you to choose what permissions you want to give to an app. This automatically means that if you have the newest update, then you’re automatically ‘trusting’ Flipkart with your Contacts, and hence also putting your friends and family’s privacy at risk.
Does the app work without this permission?
Further, we also went and tested whether the app works without permissions to Contacts. We picked up a Xiaomi phone, which comes with a built in Permissions manager, and denied Flipkart the permission to read Contacts. The app not only worked, but once we got to the order checkout page, all the relevant information, including the address for delivery was filled up. We even took it a step further, and denied the Flipkart app all the permissions that it asked for, not only did it work, we carried out an entire order without any hassles.
Do others do it?
Well, yes and no. PayTM asks for access to your contacts, but it's more justified in doing so, since the app can be used for recharging other people's mobile phones. The contacts access is needed in order to pick a number from the contact list and recharge their phones. Other e-commerce apps like Snapdeal, Jabong and Myntra, which have more or less the same business as Flipkart, don't ask to access your Contacts.
Afterall, why should they? Whether you want information to be 'pre-filled' should always be an option, and Flipkart or any other e-commerce app has no right to access your Contacts for the same unless you want it to.
Why is Flipkart's clarification not enough?
Firstly, we have contacted Flipkart's communications team asking for an official clarification for this, but haven’t had a response yet. We will update this story if a valid clarification is issued.
Next, on our Twitter conversation, Flipkart's only response was "To pre-fill your information wherever required so that you type less. We do not access your other contacts." We tried cross questioning them and getting a better answer, but got the same response again. You can read the Twitter conversation above. Eventually, Flipkart directed us to a link, which was a Google Play link, cleverly shrouded as a Bit.ly link. This was the Flipkart app page, which lo and behold, mentions the exact same thing they had already told us. It was evident that @Flipkartsupport, wasn't equipped or perhaps even authorised by the company, to respond to this query. (you will find most of the Twitter conversation attached above)
Update: Here's Flipkart's official clarification, which tells us what we already knew and still doesn't answer other questions.
"We are using the ‘Me’ section from the contacts to auto-fill the contact information in the mobile login flow, thereby eliminating the need for the user to type in the phone number manually. It makes logging in with the phone number easy."
We're waiting for a response on why this can't be done using the data the user provides during registration.
Update 2: Here's Flipkart's response.
“We want all users to have seamless experience when using the Flipkart app. This includes existing as well new users. For new users, we don't have any information. For existing users, while they may have registered with Flipkart, they may not have a phone number on file or they may be using a device which has a different phone number. Phone number from the ‘Me’ section allows us to identify the appropriate number and make the experience of logging in seamless and easy for the user.”
Why is Flipkart doing this?
While this may not be true, if you've been following the news recently, you would know that Flipkart is planning to go into an app only business model sometime in the future. The company has already started a beta process, by way of its Myntra portal, which is currently available only through the app. An app only platform though means you need to gather as much data as you can from your users. This is what makes us distrust Flipkart when it says "we do not access your other contacts". If it doesn't want to do so, then Flipkart simply does not need this permission.