Paytm is undoubtedly the biggest brand in the country when it comes to digital payments. While other brands such as Google Tez have been trying to catch up, Paytm still remains at the top. However, the brand has never been shy of controversies.
After getting into a feud with Facebook over user’s privacy and the launch of WhatsApp Payments, it appears as if Paytm itself hasn’t been been spared the criticism for data security issues and a lackadaisical attitude towards privacy.
Earlier this week, many users reported that Paytm was reportedly asking for root privileges on Android devices. After confirming the issue ourselves, we contacted Paytm customer care for an official response. Their response was rather absurd, stating that the app requests for root privileges for the sake of device details and OS version.
Let’s get one thing straight – Android apps do require device details such as OS version and more, but Android natively has permissions for that. Requesting root access is completely unnecessary in this case. As such, Paytm’s official response to was highly unsatisfactory, and upon further inquiry, the team stopped responding to us.
As a personal note, here’s what I feel: Root privileges while being extremely useful for the right user, can also be used to exploit vulnerabilities within the installed apps, or get logs from other apps. As such, I can understand why a banking app would want to check for root access on a user’s device. For protection, right? However, there are apps out there such as BHIM which also check for root access on one’s device, but rely on the operating system’s SafetyNet technology to check that. Asking for direct root access is not just bad practice for a mainstream app, but a grave security risk for people who might not be fully aware of what giving apps root means.
It also raises the questions as to what Paytm intends to do with those permissions. Root rights are the holy grail for an Android app. With this right, you can do whatever you want on the victim phone.
Now, while Paytm failed to respond to our questions, as well as the queries from many other users, it did respond to a famous personality. French security researcher and a thorn in the flesh of Indian tech companies at the moment, Baptiste Robert, better known on Twitter as Elliot Anderson, contacted Paytm enquiring about the same. According to his conversation with Deepak Abbot, Sr. Vice President at Paytm, the official statement was that the app was requesting root access to simply alert the user. You can check out the conversation below:
While the controversy carried on for a couple of days, Paytm finally contacted Robert, stating that they have rolled out a fix which includes a config change to not make the su request.
Having confirmed the same, we can confirm that Paytm is no longer asking for root permissions on Android devices. Nonetheless, the very fact that it occurred in the first place shines light on the lack of standard security practices even in major apps such as Paytm. We have not even touched on the ethical implications of this. Its’ flip-flopping on the root issue also highlights the lack of proper technical knowledge even at higher levels in tech companies.
Honestly speaking, the issue is not just with Paytm. Many other Indian companies have been reported of implementing bad cybersecurity into their apps or web portals. We have had bad cases with BSNL, Aadhaar data, and Voter ID leaks as well. Just last week Truecaller Pay was found testing UPI payments on a production server, which was unsecured. So the problem in India runs far deeper than just one company.