In a recent post on X (formerly Twitter), Kamath said he avoids using net banking apps on his phone, arguing that many of the permissions requested “make no sense” from a security standpoint.
He pointed to the Principle of Least Privilege (PoLP), a cybersecurity concept that advocates limiting access rights to only what is strictly necessary, as the global benchmark for secure systems.
I don’t use net banking apps on my phone because the mandatory permissions they ask for make no sense.
Why does a banking app need access to my SMS, phone, contacts, etc., in the name of security, when not seeking invasive device permissions is, in fact, the global benchmark…— Nithin Kamath (@Nithin0dha) March 17, 2026
Kamath suggested that excessive data access in the name of security may, in fact, run counter to best practices, adding that applications should not seek “invasive device permissions” unless absolutely required.
Highlighting Zerodha’s approach, he said the company’s trading platform Kite operates without requesting any mobile permissions, attributing this design choice to user trust. He also noted that regulatory measures such as the strong two-factor authentication framework mandated by Securities and Exchange Board of India help strike a balance between security and user privacy.
Kamath further outlined Zerodha’s broader operating philosophy, emphasising customer interest, transparency, and a focus on product quality over aggressive growth metrics.
The comments come amid ongoing debates around data privacy, app permissions, and cybersecurity practices in India’s rapidly expanding digital financial ecosystem.
First Published: Mar 18, 2026 7:48 AM IST
