Quick answer. If you tapped “Allow” on camera, contacts, SMS, and location for an app you do not fully trust, that app can now read your photos, copy your entire address book, read every incoming OTP and bank SMS, and follow you around the city. This is the exact combo loan harassment apps and stalkerware use. Open Settings, revoke all four permissions today, force stop the app, scan your phone, change passwords on email and banking, and read the rest of this guide before you uninstall. The RTI Wiki editorial team will walk you through every step for Android and iPhone, plus how the DPDP Act 2023 gives you a legal right to withdraw consent and demand deletion.
If you are short on time, jump to What to do in the next 30 minutes and the one page revoke checklist.
A 28 year old marketing executive in Bengaluru installed a “fast personal loan” app on a Sunday night. It asked for camera, contacts, SMS, and location. She tapped Allow. By Tuesday morning her cousin in Delhi got a WhatsApp message with her photo and the line “she is a loan defaulter, please tell her to pay”. She had not even taken the loan. She had only opened the app once.
This page is for that moment. Information on permissions is scattered across help pages from Google, Apple, RBI, MeitY, and a dozen consumer blogs. We bring it together: what each of the four permissions actually unlocks, why the combination of all four is the danger signal, how to revoke each one on Android and iPhone, when to uninstall, when to factory reset, when to walk into a cyber police station, and how the Digital Personal Data Protection Act 2023 gives you a clean legal route to demand the app delete every byte it copied.
Any single permission can be fine. A photo editor needs the camera. WhatsApp needs contacts. A bank app needs SMS for OTP autoread. A food delivery app needs location.
The danger is the combination. When one app asks for all four, especially at install time before you have done anything useful inside, three things become possible at once:
This is exactly the playbook of illegal loan apps, flagged by RBI and MeitY under the Digital Lending Guidelines 2022 and IT Rules 2021. The same risk applies to fake astrology apps, “earn money” apps, romance scams, fake government scheme apps, and stalkerware sold as “child safety” or “spouse monitoring”. See also Fake app installed on phone and Email misused for loans, apps, deliveries.
Citizens often think a permission gives access only when the app is open. That is wrong. By default most permissions on Android are “While using the app” or “All the time” depending on what you tapped. On iPhone the choices are clearer, but defaults still leak more than people realise.
Camera permission lets the app open the front or rear camera while in the foreground, capture stills and video, and control flash and zoom. On older Android, some apps recorded without showing the in use indicator. iOS 14 and Android 12 added a green or orange dot in the status bar, but most people do not notice it. A loan app once approved can demand a “KYC selfie”, record video of your room, and store everything. A stalkerware app can be opened by background automation and capture the user's face.
Contacts permission lets the app read every name, phone number, email, and saved relationship in your phone, including nicknames like “Mummy” or “Boss” which make the list high signal. This is the single most weaponised permission in India. With your contact list a coercion operator can send WhatsApp to your father saying you are a defaulter, send a voice note to your spouse saying you are cheating, email your office HR saying you are a fraudster, and sell the list to other operators who repeat the cycle. There is no honest reason for a loan app, wallpaper app, or flashlight app to read your contacts.
SMS permission lets the app read every SMS in your inbox (including bank alerts from years ago), read every new SMS as it arrives (including OTPs), send SMS from your number, and mark messages as read so you never see them. This is the most dangerous permission for your bank account. With SMS read access an app can capture the OTP for a UPI transfer, a credit card transaction, an Aadhaar based eKYC, or a “forgot password” attempt on your email.
Google has tightened SMS permissions since 2019. On modern Android it is restricted to apps set as the default SMS handler, but many older devices and side loaded apps still get it the old way. iPhone has never given apps direct SMS read access, only an autofill suggestion when the user taps the OTP field. That is one big reason iPhones are slightly safer here.
Location permission lets the app know your precise GPS coordinates within about 5 metres outdoors, your approximate position from cell towers and Wi Fi, your movement history if you also gave background location, and your home and office (inferred from where you sleep and where you spend weekdays). Location plus camera plus contacts is the stalkerware combo. An abusive partner who installs a “family safety” app on a spouse's phone can pinpoint home, work, the doctor's clinic, and family visits. For loan harassment, location lets an operator say “we know you are at this address” and double the fear.
For a deeper civic context see Middle class traps every family should know and Citizen RTI playbook.
You do not need to be a security expert. These signs together are enough.
A single sign is a flag. Three or more, act today.
Do these in order. Stop the bleeding first, then investigate.
Only after these 11 steps should you uninstall, because uninstalling first sometimes removes the evidence you need.
Print or save this. Tick each box.
The exact menu varies slightly across Android 12, 13, 14, and 15, and across OEM skins like One UI on Samsung, MIUI or HyperOS on Xiaomi, ColorOS on Oppo, and OxygenOS on OnePlus. The structure is the same.
Settings, Apps, See all apps, tap the suspect app, Permissions. Tap each permission shown as “Allowed” and set to “Don't allow”. Back out, tap Mobile data and Wi Fi, switch off Background data. Back to the main app screen, Force stop.
Settings, Privacy, Permission manager. Tap Camera to see every app that has it, then revoke. Repeat for Contacts, SMS, Location, Microphone, Files and media, Phone, Calendar, and Body sensors. This is gold for periodic audits.
Android 11 and above auto reset permissions for apps you have not opened in a few months. In Settings, Apps, the suspect app, switch on “Remove permissions if app is unused”.
These two areas are where the worst apps hide. They are not in the normal permission list.
Settings, Apps, three dot menu, Reset app preferences. Does not delete apps or data; only resets default apps, notifications, background data restrictions, and disabled apps. You will be reprompted for permissions as you use each app.
iOS is more contained than Android, but the basics are the same.
Settings, scroll to the suspect app name. You will see toggles for Location, Contacts, Microphone, Camera, Photos, Tracking, Cellular Data, Background App Refresh, and Notifications. Switch off every one you do not actively need.
Settings, Privacy and Security. Tap Camera to see every app that requested it. Switch off the ones you do not want. Repeat for Contacts, Microphone, Photos, Location Services, Motion and Fitness, Bluetooth, Local Network, and Tracking.
In Privacy and Security, Location Services, set each app to “While Using” or “Never”. Avoid “Always” except for genuine navigation apps. Open “System Services” at the bottom and clear “Significant Locations” if not needed. In Privacy and Security, Tracking, switch off “Allow Apps to Request to Track” for a blanket ban, or review the list and deny each suspicious app.
This is the most underused safety feature on iPhone. It shows which sensors and data sources each app touched in the last week. Settings, Privacy and Security, App Privacy Report. Turn it on, wait a week, then open and review. You will see which apps accessed your photos, contacts, location, camera, and microphone at 3 am.
If you cannot find a setting, Settings, General, Transfer or Reset iPhone, Reset All Settings is the nuclear option short of erase. It does not delete photos or apps; it resets Wi Fi passwords, VPNs, and privacy decisions, so you will be reprompted by each app.
Most apps you can simply uninstall after revoking permissions. Some need stronger treatment.
Factory reset workflow for Android: back up Google Drive, photos, WhatsApp, then Settings, System, Reset, Erase all data. After reset, reinstall apps one by one from the Play Store, do not restore the full backup blindly. For iPhone: Settings, General, Transfer or Reset iPhone, Erase All Content and Settings. Restore from an iCloud backup taken before the suspect app was installed, if possible.
Signs you must factory reset: bank money moved without approval, SMS or call logs you did not make, family already got coercion messages, the app gained device admin or accessibility, or the camera or microphone indicator stays on when no app is open. For phone level cleanup see also Fake app installed on phone: removal and bank safety.
If money is missing, family has been contacted, or you plan a cyber complaint, gather this before you uninstall.
Store everything in one folder on a different device or cloud drive, not only on the affected phone.
There are five doors and you can knock on more than one in parallel.
If the app came from an official store, report it there. Play Store: app listing, three dot menu, “Flag as inappropriate”, pick the best fit. App Store: app page, “Ratings and Reviews”, “Report a Problem”, or reportaproblem.apple.com. Keep the email confirmation.
The Ministry of Electronics and IT runs the National Cyber Crime Reporting Portal at cybercrime.gov.in. Choose “Report Financial Fraud” if money has moved, else “Report Other Cybercrime” under “Online Cyber Trafficking” or similar category. Attach your evidence pack and note the complaint number. For the financial side see Bank freeze in cyber fraud cases and 1930 helpline call script.
If money has been debited or you fear it will be, dial 1930 within the first hour if possible. Read the call script in our 1930 helpline guide before you dial. Note the acknowledgement number.
For unauthorised lending apps and digital lending abuse, file at sachet.rbi.org.in. Quote the RBI Digital Lending Guidelines 2022, which restrict regulated lenders to only what is necessary for the loan, with explicit consent, and forbid contact list and gallery access.
The DPDP Act 2023 gives you direct rights as a Data Principal: withdraw consent under §6(4) and §6(6); erasure under §12; grievance redressal under §13 (every Data Fiduciary must publish a grievance officer's contact). If unsatisfactory within 30 days, complain to the Data Protection Board under §27. Send your withdrawal in writing (email is fine). Template below.
For account level recovery see Locked out of Google, Apple, Meta or Microsoft accounts: recovery.
Most cases close at the store and portal level. But escalate to local cyber cell or a police station when any of these are true.
Walk into the cyber police station of your district with the evidence pack. Ask for an FIR under the relevant sections of the Bharatiya Nyaya Sanhita 2023 (BNS) such as cheating, criminal intimidation, and forgery as applicable, read with the Information Technology Act 2000 §66 to §66D and §67. The procedure follows the Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS), which replaced the old CrPC.
If the cyber police are unresponsive, escalate to the Superintendent of Police, then to the State Cyber Crime Wing, then file a writ under Article 226 in the High Court if a serious right is at stake. For a structured citizen advocacy path see Citizen RTI playbook.
Use this template. Adapt the bracketed parts. Send it from the email you used to sign up. Copy the grievance officer (if listed), the app's general support email, the Play Store developer email, and yourself.
Subject: Withdrawal of consent under DPDP Act 2023 and request for data deletion - [app name] - [your phone number] To, The Grievance Officer [App name and developer entity] Sir or Madam, I am a Data Principal under the Digital Personal Data Protection Act 2023. I installed your app [app name] on [date] using mobile [+91 xxxxx xxxxx] and email [your email]. At install I granted camera, contacts, SMS, and location permissions. 1. I withdraw my consent under section 6(4) and 6(6) of the DPDP Act 2023, with immediate effect, for all processing of my personal data, including data accessed through camera, contacts, SMS, and location. 2. I exercise my right to erasure under section 12. Please delete all my personal data, including contact list, SMS metadata, photographs, videos, location history, device identifiers, and any derived data, within the timelines prescribed under law. 3. I exercise my right to information under section 11. Please confirm in writing what categories of my data you collected, processed, and shared with any third party, including debt collection agents, marketing partners, and affiliate apps. 4. I require written confirmation of deletion within 30 days, signed by your Data Protection or Grievance Officer. If the response is unsatisfactory, I will complain to the Data Protection Board of India under section 27, and pursue remedies under the IT Rules 2021 and the IT Act 2000. Please also stop contacting any number from my contact list. Any further contact with my contacts will be treated as criminal intimidation under the BNS 2023 and reported to the cyber police. Yours, [Your name] [Phone] | [Email] | [City] | [Date]
Send this even after uninstalling. The withdrawal and deletion rights exist regardless of whether the app is still on your phone.
The DPDP Act 2023 is India's first standalone data protection law. A few simple principles, each one a hook for your case.
For broader RTI based advocacy, our Citizen RTI playbook shows how to file parallel RTIs to MeitY, RBI, and TRAI to push slow grievances forward.
Two months ago a college student in Indore installed a “free wifi finder” app that asked for camera, contacts, SMS, location, microphone, and storage. He tapped Allow on all. The app worked for one day and crashed. Three weeks later his mother received a WhatsApp message saying he had taken a loan of fifteen thousand rupees and was not paying. The number was Indian, the display picture was his face, and he had never taken a loan in his life.
In one evening he revoked all permissions, force stopped the app, took screenshots of the permission screen and install date, sent the DPDP withdrawal template above, filed on cybercrime.gov.in under “Online Cyber Trafficking”, filed on RBI Sachet, reported the app on Google Play, reset Gmail and Paytm passwords, uninstalled, and sent one WhatsApp note to family asking them to ignore loan related messages from him for the next month. Harassment stopped within four days. He did not have to visit a police station but kept his evidence pack ready.
The Indore example is a composite built from several real cases handled by community helpers, with details changed. The pattern is very common across small cities and college campuses.
No. Revoking stops further access from this moment. To force deletion of what was already copied, invoke your DPDP Act §12 erasure right by writing to the app, as in the sample template above.
Uninstall removes the app from your phone but not the copy of your contacts or SMS already on the app's servers. Always send the consent withdrawal and erasure request even after uninstalling.
Strong sign of a background process or hidden app with accessibility access. Reboot, check accessibility services and device admin apps, run Play Protect, and factory reset if it continues. On iPhone, check App Privacy Report and reset all settings.
A modern flashlight app from a known publisher cannot. A side loaded APK pretending to be one can request SMS at install on older Android or trick you with a fake “verify your number” prompt. Always install from the Play Store and read permissions.
Some are, some are not. Trust only RBI regulated lenders or their authorised partners, and even those should not ask for full contacts or gallery access. Cross check the lender name against the RBI list before borrowing. See Bank freeze in cyber fraud cases.
No. Bank OTP autofill on Android needs SMS permission for the bank app or messaging app. Reinstate it only for trusted apps such as your bank app and your default messaging app. Keep it revoked for everything else.
Often yes. The cyber cell can request CDR and bank trails. Many recoveries happen because the harasser reused the same UPI ID across cases. Give the cyber cell the harassment messages, the app name, and the bank account if money was demanded.
Yes. Section 3 covers processing of personal data of Data Principals in India even if processing happens abroad, when connected with offering goods or services to people in India. Foreign loan apps marketing to Indians are covered.
You can still revoke permissions. You may not be able to uninstall a system app but you can usually disable it: Settings, Apps, the app, Disable. If OEM bundled stalkerware came preinstalled, raise a consumer complaint as well.
Yes. The right to withdraw consent and the right to erasure are not time barred at the citizen end. As long as the Fiduciary holds your personal data, you can withdraw consent and ask for erasure.
Schools and parents have a legitimate interest. Review the same way: which permissions, what data leaves the device, where it is stored, what the grievance officer contact is. DPDP Act 2023 §9 has special protections for children's data.
The 10 FAQs above are written in plain question and answer form, each as `==== Q ====` H3 headings. They are eligible for FAQPage JSON LD. The site wide schema generator at `/_assets/schema-auto.js` v2 picks up `==== Q ====` blocks and emits FAQPage automatically. Do not add inline `<HTML><script type=“application/ld+json”>` blocks here, as those render as visible code on this DokuWiki, per earlier site experience.
For the social card, generate a 1200×630 image. Prompt:
“A modern Indian smartphone in a calm hand, screen showing four glowing permission toggles labelled Camera, Contacts, SMS, Location, all being switched off. Background a softly blurred Indian middle class living room at dusk with warm light. No human face. No brand logos. Mood is calm and reassuring, not alarming. Flat illustration style, soft Indian colour palette of saffron, teal, and cream. 1200 by 630 aspect, no text overlay.”
The page title should not be burned into the image. The OG generator at the site level will overlay the title automatically.
Reviewed every quarter and after any major change to DPDP Act 2023 rules, RBI Digital Lending Guidelines, or Play and App Store policies.