Every major khata app in India asks for SMS permission. We made a deliberate choice to never do that. Here is why - and how we still detect UPI payments.
By the Hisab Expert Team
If you open the Google Play Store and look at the top Indian accounting apps, you will find that many of them request the READ_SMS or RECEIVE_SMS permission. The stated reason is UPI payment detection: when a customer pays you via a popular UPI app, the app reads the SMS confirmation to auto-record the transaction.
This is convenient. It is also a massive privacy compromise that most shopkeepers do not fully understand when they tap "Allow."
When you grant SMS permission to an app, you are not granting access to just UPI messages. You are granting access to every SMS on your phone - bank alerts with your account balance, OTPs for your banking app, personal messages, government notifications, insurance documents, and more.
The app might only use UPI messages today. But the permission allows it to read everything. And if the company's business model changes, or if the app is compromised, that data is already accessible. This is not a theoretical risk - it is a structural one.
Android provides a service called NotificationListenerService that allows an app to read visible notifications - the ones that appear in your notification shade. When your UPI app sends you a "Payment received: ₹500 from Ramesh" notification, Hisab Expert reads that notification text, parses the amount, and creates a draft transaction.
The key difference: this service only accesses app notifications, not your SMS inbox. It cannot read your bank messages, your OTPs, or anything that was not shown as a notification. The scope is dramatically narrower.
Is it perfect? No. If a UPI app does not send a notification (rare, but possible if notifications are disabled), Hisab Expert will not detect the payment. The shopkeeper would need to enter it manually. We accepted this tradeoff because the alternative - reading all your SMS - was not acceptable to us.
We know that SMS-based detection catches a few more edge cases. We know that some competitors use this as a selling point. We decided that your privacy is worth more than a marginal improvement in auto-detection coverage.
Our users are shopkeepers who handle real money, real customer relationships, and real business records. Their phone contains their financial life. We do not believe an accounting app should have the keys to all of it.
You do not have to take our word for it. Open the Play Store, go to Hisab Expert's listing, and tap "About this app" → "App permissions." You will see that we do not request READ_SMS or RECEIVE_SMS. Then check the permission lists of other khata apps. The difference speaks for itself.
If you are a shopkeeper currently using an app that reads your SMS and you are uncomfortable with that, we built Hisab Expert specifically for you.
Offline-first accounting with UPI auto-detection, voice entry, and customer credit - no SMS access required.
Continue Reading
Internet connectivity in India is improving but still unreliable in many areas. Here is why every byte of your business data lives on your device first, and what that means for you.
Read article →Business TipsMaking the switch from paper to digital feels risky when your whole business depends on accuracy. Here is how to do it without a single day of confusion.
Read article →TechHisab Expert detects UPI payments without ever reading your SMS. Here is exactly how Android's NotificationListenerService works and why it is the right approach for privacy.
Read article →