Paytm App Asking for Root Permissions: Here’s What Happened
Mar. 10, 2018Paytm is undoubtedly the biggest brand in the country when it comes to digital payments. While other brands such as Google Tez have been trying to catch up, Paytm still remains at the top. However, the brand has never been shy of controversies.
After getting intoa feud with Facebook over user’s privacyand the launch of WhatsApp Payments, it appears as if Paytm itself hasn’t been been spared the criticism for data security issues and a lackadaisical attitude towards privacy.
Earlier this week, many users reported thatPaytm was reportedly asking for root privileges on Android devices.After confirming the issue ourselves, we contacted Paytm customer care for an official response. Their response was rather absurd, stating that the app requests for root privileges for the sake of device details and OS version.
Let’s get one thing straight – Android apps do require device details such as OS version and more, but Android natively has permissions for that.Requesting root access is completely unnecessary in this case.As such, Paytm’s official response to was highly unsatisfactory, and upon further inquiry, the team stopped responding to us.
As a personal note, here’s what I feel: Root privileges while being extremely useful for the right user,can also be used to exploit vulnerabilities within the installed apps, or get logs from other apps. As such, I can understand why a banking app would want to check for root access on a user’s device. For protection, right? However, there are apps out there such as BHIM which also check for root access on one’s device, but rely on the operating system’s SafetyNet technology to check that. Asking for direct root access is not just bad practice for a mainstream app, buta grave security risk for people who might not be fully aware of what giving apps root means.
It also raises the questions as to what Paytm intends to do with those permissions.Root rights are the holy grail for an Android app. With this right, you can do whatever you want on the victim phone.
Now, while Paytm failed to respond to our questions, as well as the queries from many other users, it did respond to a famous personality. French security researcher and a thorn in the flesh of Indian tech companies at the moment, Baptiste Robert, better known on Twitter asElliot Anderson, contacted Paytm enquiring about the same. According to hisconversation with Deepak Abbot, Sr. Vice President at Paytm, the official statement was that the app was requesting root access to simply alert the user.You can check out the conversation below:
While the controversy carried on for a couple of days, Paytm finally contacted Robert, stating thatthey have rolled out a fix which includes a config change to not make the su request.
Having confirmed the same, we can confirm that Paytm is no longer asking for root permissions on Android devices. Nonetheless, the very fact that itoccurredin the first placeshines light on the lack of standard security practices even in major apps such as Paytm.We have not even touched on the ethical implications of this. Its’ flip-flopping on the root issue also highlights the lack of proper technical knowledge even at higher levels in tech companies.
Honestly speaking, the issue is not just with Paytm.Many other Indian companies have been reported of implementing bad cybersecurity into their apps or web portals.We have hadbad cases with BSNL,Aadhaar data, andVoter ID leaksas well. Just last weekTruecaller Pay was found testing UPI paymentson a production server, which was unsecured. So the problem in India runs far deeper than just one company.
This isn’t an interview! Why am I being asked to tell you about myself? :P Well, if you really wanna know, I’m currently trending worldwide on #BeingMirchi. Buy me a beer if you like my work. Cheers!
