Nithin Kamath, founder and CEO of Zerodha on Tuesday raised concerns over the growing use of intrusive permissions by banking and financial apps, questioning the logic behind what he describes as excessive access to users' personal data.
Kamath in a post on X said he avoids using net banking applications on his phone altogether, citing discomfort with the wide-ranging permissions they typically demand. According to him, requests for access to SMS, contacts, and phone data are difficult to justify, especially when framed as necessary for security.
“Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security?” Kamath questioned in a post on X, adding that such practices contradict widely accepted security principles.
I don't use net banking apps on my phone because the mandatory permissions they ask for make no sense.
— Nithin Kamath (@Nithin0dha) March 17, 2026
Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security, when not seeking invasive device permissions is, in fact, the global benchmark…
He pointed out that global cybersecurity standards advocate the opposite approach, minimising access rather than expanding it. This approach is formally known as the Principle of Least Privilege, which emphasises that applications should only request the bare minimum permissions required to function effectively.
The Zerodha chief underscored that respect for user privacy has been central to the company's philosophy. Drawing from the idea that “don't do unto others what you don't want done unto you,” Kamath said the firm has consciously avoided adopting invasive practices in its own products.
ALSO READ: Zerodha's Nithin Kamath Warns Of Offshore Betting Apps After Gaming Crackdown
This philosophy is reflected in Zerodha's flagship trading platform, Kite, which, he highlighted, operates without seeking any permissions on mobile devices. Kamath noted that this design choice has played a key role in building trust among millions of users.
He also credited the regulatory framework set by Securities and Exchange Board of India for enabling a balanced approach. The mandatory strong two-factor authentication (2FA) requirements, he said, ensure robust security without forcing companies to compromise on user privacy.
Kamath's remarks come at a time when concerns around data privacy and digital surveillance are intensifying globally. His stance adds to the broader debate on whether financial institutions are overreaching in the name of safeguarding users, and whether a shift towards privacy-first design could become the new standard in India's rapidly evolving fintech ecosystem.
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.
