Update (13th March 2018): Paytm seems to have stopped asking users to grant root access to its app on Android devices. After the tweak, users running Paytm on a rooted Android device will no longer have to grant sensitive administrative access to the app before performing UPI transactions.
A Times of India report quotes an unnamed spokesperson from the company who says that Paytm is still checking if the device is rooted or not but the method has changed with a different coding. While the earlier method was foolproof, the latest method apparently has a success rate of 70-80%. This implies that Paytm is going by the standard Android SafetyNet check route that is implemented by multiple apps and games on the Play Store. While far less intrusive, the SafetyNet check can be spoofed by savvy users.
According to the TOI report, Paytm still insists that this move has been mandated by the NPCI.
Original story (9th March 2018): Paytm’s Android app has been asking users who have modified or rooted their devices for essentially administrative access. If a user allows the app to gain administrative access (also called root access or superuser access) it will, in theory, have complete control over the device.
This issue was first flagged by Twitter user Bibhas Debnath, who shared a screenshot of the request prompt put out by the payments app. The tweet garnered a lot of attention and even drew a response from Paytm founder and CEO Vijay Shekhar Sharma who tweeted out that the National Payments Corporation of India (NPCI) had asked the app maker to check for rooted devices before enabling access to UPI payments.
MediaNama reached out to NPCI MD and CEO Dilip Abse who said he isn’t talking to the media at the moment.
What is root access?
Rooting is a process that allows users gain privileged control of their Android devices, removing any barriers to modification and tweaking of the device’s software. This process is often undertaken by savvy users who embrace both the openness and challenges associated with the process.
Once a device is rooted it can be used to modify the device’s behaviour in ways the manufacturer may not have intended, normally this is restricted to the user himself. Certain apps though can be given this privilege, referred to as superuser access that allows them an unfettered path to the device and its system software.
This is exactly what Paytm is asking users with root access to do, give its app permission to gain complete access to their devices.
So what’s the issue here?
Privacy. Security. Hackers. You name it. Root access to a device is something Paytm has no reason to request. The app does not in any way need root permissions to perform its operations effectively. But with root access, the Paytm app can do anything it wants on the phone, sit in the background, read all your messages, skim through your call history. Paytm has pointed out that it doesn’t intend to do any of this but still the absurd request being made shows that the possibility exists.
“That will make PayTM/UPI the target of *every* two bit hacker in the world. Asking for this permission is *equal* to shipping a phone with PayTM/UPI at root level like google does. This is not good.” Anand Venkatanarayanan a senior engineer and security researcher tweeted out.
What has also raised eyebrows is the Paytm CEO’s clarification that this was requested by the NPCI. “This is a serious issue because NPCI is not a regulator and their directions on cybersecurity seem weird. Even the RBI information security guidelines don’t make specific requests like enforcing root access check or permissions,” independent security researcher Srinivas Kodali told MediaNama. (* note on RBI guidelines below)
Now there are other cases where app makers don’t always necessarily play nice with rooted devices. For example, the Netflix Android app cannot be downloaded from the Play Store if a device is rooted neither can a multitude of other freemium games and media apps. This is done to prevent users from spoofing the app to access premium content without paying for it.
Google allows this root check at the Play Store level, known as a SafetyNet check. If a device is rooted, it fails the SafetyNet check and users are either not able to download the app or get the service to run properly. These apps don’t go the nuclear route by asking users to give away root access the method which Paytm has chosen. (It is technically possible to spoof the SafetyNet check itself in some cases though)
— Elliot Alderson (@fs0c131y) March 8, 2018
French mobile security researcher Robert Baptiste who tweets from the handle @fs0c131y also sparred with Paytm’s Deepak Abbott on the issue. Abbott’s argument was that the root access is requested to perform a small check and that the Paytm app can be trusted to not misuse this privilege. Baptiste like many others pointed out that giving root rights to an app is a big deal and even ‘unused privileges’ can be used as entry points by malware and hackers.
* Edit: It should be noted that RBI’s original draft guidelines about wallet interoperability mentioned that “The mobile app should not be allowed to be installed on rooted devices.” But this was omitted from the final master direction put out by the regulator. Even if one goes by the original draft guidelines, the RBI had made no mention to request root access to the device a SafetyNet check should have sufficed there.