wordpress blog stats
Connect with us

Hi, what are you looking for?

Update: Paytm stops asking for root access on Android devices

Paytm Root access

Update (13th March 2018): Paytm seems to have stopped asking users to grant root access to its app on Android devices. After the tweak, users running Paytm on a rooted Android device will no longer have to grant sensitive administrative access to the app before performing UPI transactions.

A Times of India report quotes an unnamed spokesperson from the company who says that Paytm is still checking if the device is rooted or not but the method has changed with a different coding. While the earlier method was foolproof, the latest method apparently has a success rate of 70-80%. This implies that Paytm is going by the standard Android SafetyNet check route that is implemented by multiple apps and games on the Play Store. While far less intrusive, the SafetyNet check can be spoofed by savvy users.

According to the TOI report, Paytm still insists that this move has been mandated by the NPCI.

Original story (9th March 2018): Paytm’s Android app has been asking users who have modified or rooted their devices for essentially administrative access. If a user allows the app to gain administrative access (also called root access or superuser access) it will, in theory, have complete control over the device.

This issue was first flagged by Twitter user Bibhas Debnath, who shared a screenshot of the request prompt put out by the payments app. The tweet garnered a lot of attention and even drew a response from Paytm founder and CEO Vijay Shekhar Sharma who tweeted out that the National Payments Corporation of India (NPCI) had asked the app maker to check for rooted devices before enabling access to UPI payments.

Advertisement. Scroll to continue reading.

MediaNama reached out to NPCI MD and CEO Dilip Abse who said he isn’t talking to the media at the moment.

What is root access?

Rooting is a process that allows users gain privileged control of their Android devices, removing any barriers to modification and tweaking of the device’s software. This process is often undertaken by savvy users who embrace both the openness and challenges associated with the process.

Once a device is rooted it can be used to modify the device’s behaviour in ways the manufacturer may not have intended, normally this is restricted to the user himself. Certain apps though can be given this privilege, referred to as superuser access that allows them an unfettered path to the device and its system software.

This is exactly what Paytm is asking users with root access to do, give its app permission to gain complete access to their devices.

So what’s the issue here?

Privacy. Security. Hackers. You name it. Root access to a device is something Paytm has no reason to request. The app does not in any way need root permissions to perform its operations effectively. But with root access, the Paytm app can do anything it wants on the phone, sit in the background, read all your messages, skim through your call history. Paytm has pointed out that it doesn’t intend to do any of this but still the absurd request being made shows that the possibility exists.

“That will make PayTM/UPI the target of *every* two bit hacker in the world. Asking for this permission is *equal* to shipping a phone with PayTM/UPI at root level like google does. This is not good.” Anand Venkatanarayanan a senior engineer and security researcher tweeted out.

Advertisement. Scroll to continue reading.

What has also raised eyebrows is the Paytm CEO’s clarification that this was requested by the NPCI. “This is a serious issue because NPCI is not a regulator and their directions on cybersecurity seem weird. Even the RBI information security guidelines don’t make specific requests like enforcing root access check or permissions,” independent security researcher Srinivas Kodali told MediaNama. (* note on RBI guidelines below)

Now there are other cases where app makers don’t always necessarily play nice with rooted devices. For example, the Netflix Android app cannot be downloaded from the Play Store if a device is rooted neither can a multitude of other freemium games and media apps. This is done to prevent users from spoofing the app to access premium content without paying for it.

Google allows this root check at the Play Store level, known as a SafetyNet check. If a device is rooted, it fails the SafetyNet check and users are either not able to download the app or get the service to run properly. These apps don’t go the nuclear route by asking users to give away root access the method which Paytm has chosen. (It is technically possible to spoof the SafetyNet check itself in some cases though)

French mobile security researcher Robert Baptiste who tweets from the handle @fs0c131y also sparred with Paytm’s Deepak Abbott on the issue. Abbott’s argument was that the root access is requested to perform a small check and that the Paytm app can be trusted to not misuse this privilege. Baptiste like many others pointed out that giving root rights to an app is a big deal and even ‘unused privileges’ can be used as entry points by malware and hackers.

* Edit: It should be noted that  RBI’s original draft guidelines about wallet interoperability mentioned that “The mobile app should not be allowed to be installed on rooted devices.” But this was omitted from the final master direction put out by the regulator. Even if one goes by the original draft guidelines, the RBI had made no mention to request root access to the device a SafetyNet check should have sufficed there.

Advertisement. Scroll to continue reading.

Written By

Writes about consumer technology, social media, digital services and tech policy. Is a gadget freak, gamer and Star Wars nerd.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ