“Gartner Listed - mobile application security guide”

March 24, 2017

How secure are India’s mobile wallets?

As demonetisation in India introduced new users to mobile wallets and digital payment apps there remain questions over their security and the frequency of mobile app security testing. We look at the security features of some of the most popular mobile payment apps.


Paytm comes with default single factor authentication, meaning that once you log in, you can make transactions through the app unless you log out. The app recently introduced an app password feature and fingerprint feature to allow for two factor authentication. But these settings are optional and do not come by default.


Just like Paytm, MobiKwik was also relying on one-factor authentication until recently. Now it has announced a two-factor authentication to prevent theft and unauthorized access of lost or stolen devices. It has also introduced a transaction lock feature which asks you to enter a 6 digit PIN code before using your digital money in the Android version of the app. Also, in case of a device being lost or stolen, the remote detonation feature can be used to remotely log you out of the app and delete all your critical data in the app.


The Bharat Interface for Money has recorded 17 million downloads to date after being launched on December 30 2016. BHIM comes with a three-tier security which is mandatory.  Firstly, the users have to provide a PIN when logging in the app and get linked to their device ID and phone number. Secondly, the transaction is authenticated by the bank with the help of user’s mobile number already registered with the bank at the time of filling the Know Your Customer form during account opening. Thirdly, the user will have to enter the UPI PIN for each transaction. A successful BHIM transaction requires two PINs.

JioMoney is a relatively new app in the mobile wallet market and recently became the second payment app partner for Uber in India after Paytm. It comes with a mandatory two-factor authentication, and asks for a password and mPIN each time the app is launched. Another interesting feature is that in case of a lost device or change in mobile number, the number in the account ca be changed with the help of your mPIN.

These security features may help to allay the concerns of users but it remains to be seen whether these apps are going through rigorous mobile app security testing as part of each release and what measures the banks are taking to stop hacking.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.