Saturday, August 2, 2025
India Watch - A Digital Media
  • Home
  • IndiaWatching
    • India Unplugged
    • Maps of India
    • Strategy & Policy
  • Makers for India
    • Gallery & Expo
  • More
    • About Us
    • Contact Us
No Result
View All Result
India Watch - A Digital Media
  • Home
  • IndiaWatching
    • India Unplugged
    • Maps of India
    • Strategy & Policy
  • Makers for India
    • Gallery & Expo
  • More
    • About Us
    • Contact Us
No Result
View All Result
India Watch - A Digital Media
No Result
View All Result
Home India Unplugged

BHIM shakes the country

Dinesh Bareja by Dinesh Bareja
06/01/2017
in India Unplugged
1

Bharat Interface for Money – BHIM for short is the new app that has shaken the financial ecosystem in the country. it is designed to provide the easiest interface for the common man in to transfer and receive money. All one needs is a bank account and a mobile phone linked to it or a debit card issued for the account.

NPCI has created BHIM and is working to bring about a revolution in the country’s financial payment ecosystem. The indigenization is to be lauded and we are great supporters of Make In India. We hope that NPCI will talk with us for an interview on IW_Talks!

While BHIM has created a storm in the Indian financial payments world, there is a lot of praise and kudos heaped by common users. It is of great help, no doubt, but there is a general impression that it is a bit too good for being brought up in so short a time. Then there have been public claims about the App and every security researcher loves to prove the system wrong (especially when faced with claims of mil-grade security )

Maybe BHIM should have started a bug bounty program at the time launch <LOL> but in any case the NPCI team can thank these researchers for their contributions.

We are putting together (without attribution) comments and findings shared in the public domain across various platforms and in private (news, websites, etc)

Item # 1 – code issues1

Findings reported by Sameep

 

The following post is not to malign or shame the Government or any agency, but to make them aware of the risks in the cyber security domain. I decided to install BHIM app for online transactions on my android device, but as my nature is to test the things for safety before I deploy them or recommend others.

  • The App is not written in Native code, not much of an issue if the code is generated by any of the popular RAD IDE and tweaked for security.
  • Crypto is False infact non-existent.
  • Obfuscation of the code is not present, ideally it should have been done using something like ProGuard.
  • A hell lot of commented code is still lying unattended inside the files; bloating the size and also increasing risks.
  • Broadcast receiver is not protected and shared with other Apps, could lead to data leak

 

Update on Jan 09 – this is the response from NPCI

 

 

Item # 1.1 – code issues 2 – decompile with ease!

Question: Hi, so you were actually able to decompile the apk and extract the source code for this app. That would be a major red flag making this app non-compliant with PCI standards

Researcher: Yup it was easy, just changed the extension to zip and extracted and decompiled.

(Maybe it was made so on purpose, so you guys can easily check for issues:-))

Item # 2 – The funniest finding – donation request:

Email address found: [email protected]

The person is asking for donations and has embedded the Paypal donation link.

Same person has been selling Internet plans on his Google+ page:https://plus.google.com/104133339266698489804

Item # 3

Here are a few suggestions on BHIM app. Made a few transactions using BHIM app, the other person doesn’t receive any confirmation SMS, so there’s no way for the other person to know if the money is transferred unless he or she has Internet connectivity and opens the app to check. One of the failed transactions resulted in money being deducted from my account, and I wasn’t even aware of it until I opened the net banking (since there was no SMS confirmation on the money deducted or added)

Item # 4

I faced this same error while verifying payee”s virtual address. Many users are getting errors while registering, like ”Device binding failed” etc..

Item # 4 – is this hosted on AWS !

Item # 5 – a truecaller ‘wannabe’ in the making !

Someone tried this using my number and see what came up! Someone has to try some other risk scenarios but the researcher(s) are worried about negative reaction from the owners!

 

Update Jan 07 – Item # 6

Was testing the latest build of the BHIM App, found that they have addressed the Crypto issue, good to see a quick reaction.

But found something more grave today:
1. SQL queries were inline and that is a high potential risk. Please use procedures.
2. Instead of writing error statements, it is better to specify error codes.
3. Rest of the points already highlighted still stand straight.

Item # 7 – Issue on CERT-In Empanelment

This is the gist of the conversation between Rakesh Goyal and Saket Modi about testing by CERT auditors and that Lucideus is not empaneled with CERT. I believe that the response is somewhat unconvincing. However, I have a question – how come Lucideus could demonstrate and deliver high grade testing for NPCI but it flunked the CERT empanelment test which is supposed to be weak (according to industry folk). Anyway – this is the conversation:

 

Update Jan 09, 2017

Item # 8 – Confidential Disclosure

Today morning IW made a confidential disclosure of 5 issues in BHIM to NPCI. This will be made public after two weeks.

 

We are sure there are other researchers who have been submitting bugs directly to NPCI and we request them to please share the research on this blog.

Item # 9 – Issue released by Sameep Agarwal

@BHIM.NPCI I had promised my peers, that I would be writing more about the BHIM app but it got delayed because I overslept… Thank God did that.

Previously, I have shared my observations based on static analysis. Today, I just thought of doing the dynamic approach but I was taken aback when my Device registration through SMS exposed something hilarious….

The App doesn’t send the verification code from within the encapsulated code… rather it opens up the generic SMS utility ; it sends the numerical code of 13 digit in sms body to a 10 digit registered number 092XXXXXXX .

1. There are no multiple numbers mapped to Shortcode (eg: 58888), hence all traffic is just on one registered number.

2. A person with malicious intent can bombard this number, thus crowding the server and resulting in DDoS.

3. The Verification code can be tampered in plain text in the generic SMS utility itself.

4. I didn’t proceed ahead as I felt demotivated after the findings.

Our PM tweeted that BHIM has crossed 10 million users… My question : What about cyber security aspect that the government has been yelling?

I am again offering my service for free, if BHIM developers (Chhota Bheem) are serious about their stuff.

 

 

Call for Submission

The voluntary efforts of all community researchers will be appreciated by NPCI and the public at large. We request researchers to add their additional findings in the comments area below or to communicate with us and we will update this blog.

We shall be sharing the blog contents with NPCI and hope that they will take necessary remediation actions.

God Bless all Makers for India and God Bless the Information Security community.

 

 

 

Tags: BHIMbhim commentsbhim securityepaymentindiamake in Indianpciresponsible disclosureSameep Agarwal
Previous Post

How much cash is needed in economy?

Next Post

Is RBI responsible for creation of Black Money and inflation due to high M0?

Dinesh Bareja

Dinesh Bareja

Cyber Security practitioner and evangelist working in cyber security in national and enterprise application. Contributor to national policy, awareness and development of capacity / capability. Keeps a critical eye on the past, present and future in the infosec domain, and firm believer in common sense. Uses practical thinking to demolish purveyors of cyber hype and snake-oil.

Next Post

Is RBI responsible for creation of Black Money and inflation due to high M0?

Comments 1

  1. Dayanidhi says:
    9 years ago

    If you guys want to do something worthful u just learn coding and solve this fake issues which u guys are creating. This is not true just prove with valid proof and i am 100% sure u cant take anything from using this if u can do that post it.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

thirteen + 12 =

  • Trending
  • Comments
  • Latest

Skeletons in my banks and national system

17/04/2018

Corporate Governance & Cyber Security Responsibility

18/11/2016

Chai pe Charcha – Delhi 11 June 2017

14/06/2017

Govt & Cops twiddle fingers waiting for the nation to burn…

26/08/2017
National Cyber Security Policy 2020 .. in anticipation

National Cyber Security Policy 2020 .. in anticipation

7

Cyber Swatchhta Kendra – A Good Start

6

Demonetisation – Cashless Economy – Urgent Need For Data Localisation

5

Why Are We A Strategically Deficient Nation ?

5
Time to relook at Critical Information Infrastructure

Time to relook at Critical Information Infrastructure

20/09/2020
What the Government does… secure messaging

What the Government does… secure messaging

23/01/2020
They ran, we shot… and u better believe us!

They ran, we shot… and u better believe us!

06/12/2019
National Cyber Security Policy 2020 .. in anticipation

National Cyber Security Policy 2020 .. in anticipation

31/10/2019

Recent News

Time to relook at Critical Information Infrastructure

Time to relook at Critical Information Infrastructure

20/09/2020
What the Government does… secure messaging

What the Government does… secure messaging

23/01/2020
They ran, we shot… and u better believe us!

They ran, we shot… and u better believe us!

06/12/2019
National Cyber Security Policy 2020 .. in anticipation

National Cyber Security Policy 2020 .. in anticipation

31/10/2019
  • Home
  • About
  • Contact
  • Maps of India

© 2018 IndiaWatch - All Rights Reserved. Website Design: Jemistry Info Solutions

  • Home
  • IndiaWatching
    • India Unplugged
    • Maps of India
    • Strategy & Policy
  • Makers for India
    • Gallery & Expo
  • More
    • About Us
    • Contact Us

© 2018 IndiaWatch - All Rights Reserved. Website Design: Jemistry Info Solutions

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.