Zerodha co-founder and CEO Nithin Kamath has revealed that he does not use internet banking apps on his smartphone. The reason is a criticism on how Indian banks approach mobile security.

In a post on X (formerly Twitter), Kamath said the mandatory permissions demanded by most banking apps simply do not make sense to him.“I don't use net banking apps on my phone because the mandatory permissions they ask for make no sense," he questioned, highlighting that requiring such “invasive device” access is actually contrary to global cybersecurity best practices.Kamath also pointed to a cybersecurity standard known as the Principle of Least Privilege (PoLP) – the idea that any app or system should only access what is strictly necessary to perform its function.

“Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security, when not seeking invasive device permissions is, in fact, the global benchmark for cybersecurity. This is called the Principle of Least Privilege (PoLP),” Kamath added.

Kamath says Zerodha ‘does the opposite’

The Zerodha chief also drew a quick contrast with how his own company has built its trading platform that does not ask for unnecessary permissions. He noted that Kite, Zerodha's flagship mobile app, requests zero permissions from users which is a deliberate design choice.

“Don't do unto others what you don't want done unto you,” Kamath said while describing it as a founding philosophy at Zerodha.“This is exactly why we've built Zerodha the way we have. Kite asks for ZERO permissions on mobile, for instance, and this is one of the big reasons why millions of people trust us. What has enabled us is SEBI's mandatory strong two-factor authentication framework strike the right balance between security and privacy,” he added, noting that SEBI’s mandatory two-factor authentication framework if on-point for making it possible to build a secure platform without resorting to invasive data collection.