Serious security flaws discovered in the government’s BHIM app could dent its digital push. Security experts have found that hackers can gain access to a user’s account details with just basic programming skills.

“The BHIM app is written in a very amateur way and the entire code is unprotected, which means it can be easily downloaded and modified by anyone,” said Mumbai-based security expert Prashant Mali.

A hacker could download the .apk file of the app and modify parts of the code in such a way that once the user’s bank details are keyed in, the hacker could take control of the account. (APK refers to Android application package, the file format used by the Android operating system for distribution and installation of mobile apps.) And since the code is easily procured, fake apps resembling the original can be generated with little effort.

Other vulnerabilities



“The app also has SQL injection vulnerability, using which hackers can extract bank account details easily,” Mali said. SQL stands for Structured Query Language, used to communicate with a database. He added that the app is also vulnerable to a ‘denial of services’ attack, wherein hackers flood servers with fake transactions to bring them down.

Experts believe the app was written in haste, due to which such errors were not rectified in the testing phase. The Centre has been pushing citizens to adopt digital payment methods with the result that most companies developing apps have put them through inadequate tests.

There have been issues with other digital payment platforms, too. During the demonetisation drive, Paytm launched its merchant app, which allowed traders and shopkeepers to accept credit and debit cards without investing in a PoS terminal. However, it was withdrawn a day later after experts pointed out holes in its system.

************

NPCI clarifies:

It says “The code is very well secured by ensuring encryption and other techniques. However, some part of the code would always be visible for functioning of the app but this does not carry any confidential or risk threat scenario. The app will not work if the visible codes are modified.” In the context of fake apps, it has clarified: “ This threat remains with every app which is published in the world similar to phishing attack wherein users are directed to fake apps. NPCI is monitoring such cases and simultaneously reporting the issue to the relevant authorities for removal of such fake apps from Google Play Store.” It adds that the app is not prone to SQL injection and NPCI has ensured that checks and controls are in place to prevent services attacks.

Our reporter's response

The fact that large portions of the code was left unobfuscated in the first version of the app does expose the app to possible misuse. What part of the openly available code can be termed a vulnerability is a subjective matter. The fact that many other apps pose a risk of being copied doesn't make BHIM safe. THE NPCI’s clarification on SQL injection is correct. What we meant to say is that the code is written using SQL inline method, which is largely considered an insecure way of storing data. Also, the app allows a user to have sender and receiver's account as the same, which means one can continue to send small amounts of money to his or her own account, without making any real transaction but in the process, possibly clogging the system if other controls are not in place--something that may lead to a Denial of Service attack.