A blackbox privacy audit of the BadeSaba Calendar Android application (v16.0.1), conducted over a limited three-day timeframe in May 2025, has revealed a pattern of aggressive data collection, fundamentally broken cryptographic protections, and insecure local storage practices. These findings would be concerning for any application in any jurisdiction, but they carry particular weight given the context in which BadeSaba operates: an Iranian-developed application, distributed through Iranian app stores, communicating with dozens of advertising and analytics endpoints, and serving a user base that lives under one of the most extensive state surveillance infrastructures in the region. In this environment, every piece of data that an application collects insecurely is data that exists within reach of actors whose access to it faces no meaningful independent legal check.

BadeSaba is among the most widely used calendar applications in Iran, providing Shamsi (Jalali) calendar functionality alongside religious event tracking and daily utilities. The audit was performed through reverse engineering of the APK without access to source code or documentation. While no evidence of backdoors, remote code execution, or root privilege escalation was found, the absence of deliberate malicious code does not diminish the risk. In Iran's regulatory environment, where there is no independent data protection authority, where telecommunications infrastructure is subject to state-mandated interception capabilities, and where domestic technology companies operate under legal obligations to cooperate with security agencies, the line between negligent data exposure and effective surveillance enablement becomes vanishingly thin.

Persistent Tracking in a Jurisdiction Without Privacy Safeguards

The application performs persistent location tracking through both GPS and network-based positioning, collecting precise geolocation data alongside extensive device fingerprinting that includes SIM operator details, hardware model identifiers, and operating system version information. Proximity sensor monitoring was also identified, raising questions about behavioral analysis capabilities that exceed what a calendar application would reasonably require.

Network traffic analysis confirmed that while data transmission is encrypted via TLS over HTTPS, the application communicates with more than fifty distinct endpoints serving advertising, analytics, and configuration purposes. The sheer number of data destinations means that user location and device metadata are distributed across a wide network of services, each of which operates within Iranian jurisdiction and is therefore subject to the same compelled-access framework. In a country where the state has repeatedly demonstrated its willingness to leverage domestic technology infrastructure for surveillance purposes — from internet shutdowns during protests to targeted monitoring of activists and journalists — the existence of fifty-plus data pipelines carrying location and device information is not merely a technical inefficiency. It is a structural vulnerability that aligns with how state-level data collection has historically been operationalized.

Insecure Local Storage: Exposure Compounded by Ecosystem Risks

BadeSaba saves unencrypted screenshots of its own user interface, popup content, and user backups to shared external storage directories. Any other application installed on the same device with storage permissions can freely access this data. This vulnerability is significantly amplified by the ecosystem in which Iranian users operate. Applications in Iran are predominantly distributed through domestic app stores such as Myket and CafeBazaar, which lack the security vetting rigor of major international platforms. The probability that a user has installed other applications with storage permissions — some of which may themselves be poorly secured or deliberately designed to harvest data — is high. In this context, writing unencrypted personal data to shared storage is not merely poor engineering practice; it creates a practical, low-effort extraction path for any actor with the ability to distribute or compromise a co-installed application.

Broken Cryptography: Protection That Offers None

The cryptographic implementation within BadeSaba represents a comprehensive failure of secure design. The application relies on MD5 and SHA-1 for hashing, both deprecated and insecure for years. Encryption uses Triple DES (3DES) in ECB mode, vulnerable to pattern analysis and offering no meaningful protection. Symmetric encryption keys and initialization vectors are hardcoded directly into the application code and remain static across all installations, rendering the entire encryption layer trivial to bypass through straightforward reverse engineering. For a technically capable state actor — and Iran's cyber capabilities are well-documented across multiple independent assessments — these protections are functionally nonexistent. The encryption serves only as a facade that might reassure users while providing no actual barrier to data access.

The Jurisdictional Reality

It is important to state clearly what this audit does and does not claim. No evidence was found that BadeSaba was designed as a surveillance tool or that it contains deliberate backdoors. The vulnerabilities identified appear to stem from negligent development practices rather than malicious intent. However, intent is not the operative question when assessing privacy risk for users living under authoritarian governance. The operative question is: what happens to the data once it exists? In Iran, the answer is shaped by a legal framework that grants security agencies broad access to telecommunications data, a regulatory environment with no independent oversight body for data protection, and a documented history of using domestically collected digital data to identify, track, and prosecute dissidents, journalists, and minority communities. Under these conditions, an application that collects precise location data, fingerprints devices, stores user data without encryption, and distributes metadata across dozens of domestic endpoints creates a de facto surveillance surface regardless of the developer's intentions.

Recommendations for Users

Users who must continue using BadeSaba Calendar should immediately revoke location, storage, and calendar permissions through their device settings. Location access should be denied entirely unless location-based prayer times are critically needed, and even then should be restricted to active use only. Revoking storage permission prevents the application from writing unencrypted data to publicly accessible directories. Users should avoid entering sensitive personal, financial, or medical information into the application. Regular clearing of the application cache is advisable, and the built-in sharing features should be avoided as they generate insecurely stored screenshots. More broadly, users should understand that the privacy risks described here are not unique to BadeSaba — they are representative of a pattern across Iranian-developed applications that collect far more data than their functionality requires, protect it inadequately, and operate within a jurisdiction that provides no structural guarantee against state access. The developers have been contacted through responsible disclosure channels with detailed remediation recommendations.