Zerodha co-founder Nithin Kamath has criticized net banking apps for the excessive permissions they require on the smartphones of users. Kamath says that the ‘invasive device permissions’ required by these apps lead him to not use them on his phone.
In a post on X (formerly Twitter), Kamath wrote, “I don’t use net banking apps on my phone because the mandatory permissions they ask for make no sense.”
Kamath then went on to question why banking apps require access to sensitive personal data like SMS, phone logs and contacts under the guise of security.
He also highlighted that avoiding such invasive device permissions is actually the global benchmark for cybersecurity, a concept formally known as the Principle of Least Privilege (PoLP). The 46-year-old noted that these mandatory permissions asked by net banking apps simply “make no sense” and went on to contrast it with the minimal permissions required by Zerodha‘s own apps.
“Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security, when not seeking invasive device permissions is, in fact, the global benchmark for cybersecurity. This is called the Principle of Least Privilege (PoLP),” he added.
Nithin Kamath on Zerodha’s philosophy:
Kamath noted that “Don’t do unto others what you don’t want done unto you” has been the philosophy of Zerodha. He also went on to note that Zerodha’s flagship trading platform Kite asks for zero permissions on mobile and called this decision a major reason why millions of users trust the platform.
“This is exactly why we’ve built Zerodha the way we have. Kite asks for ZERO permissions on mobile, for instance, and this is one of the big reasons why millions of people trust us. What has enabled us is SEBI’s mandatory strong two-factor authentication framework to strike the right balance between security and privacy.” Kamath noted.
Kamath also linked to a support page by Zerodha which highlighted the company’s policies regarding data usage.
“Our mobile apps only seek permissions that are necessary for their functioning. There is no direct or indirect tracking or profiling of customer behaviour in any form.” The support page reads.
The page also reads that Zerodha doesn’t use third-party marketing “pixels” or trackers for behavioural tracking and profiling of its users and doesn’t follow ‘customers around the internet via third-party trackers’.
It also notes that the company does not use ‘incessant push notifications, UI dark patterns’ or other gimmicks to engage users.
