Demonetisation in India has gained a significant amount of traction while also showing the security risks of digital payments and the need for mobile app security testing.
New research from the Centre for Software and IT Management (CSITM) at the Indian Institute of Management in Bangalore used mobile app security testing and research on the security of the backends supporting the apps.
The research looked at some of India’s most popular payment apps such as Paytm, Freecharge, and BHIM to conclude that there are serious security issues according to the risk management principles of the Basel Committee on Banking Supervision and the RBI.
The research looked at four categories of mobile payments systems, wallets (Paytm, FreeCharge), direct links to the user’s bank (BHIM), apps issued by banks for their account holders(iMobile by ICICI Bank), and the Unstructured Supplementary Service Data system.
The privacy concerns stem from the differing approaches to security of the apps, some, such as Freecharge, avoid a direct link to third party vendors, whereas others, such as Paytm, allow for automatic connection to vendors who are able to charge the user without their consent.
The failure to implement standard security features such as automatically logging users out to end sessions was common to Paytm and Freecharge. This risk fraudulent transaction through the app especially if the user loses their phone. iMobile and BHIM both use session time-out features.
The research also noted a minimal oversight of transactions, for example the government’s BHIM app confirms successful transaction in two minutes while taking 10 hours to notify the user in case of failure. In addition, definitive conclusions were difficult to reach due to the constant updates and changes in features available on the apps.
This kind of high frequency release cycle also questions whether there is enough mobile app security testing being done to test the security of new builds and features.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.