BHIM shakes the country

Bharat Interface for Money – BHIM for short is the new app that has shaken the financial ecosystem in the country. it is designed to provide the easiest interface for the common man in to transfer and receive money. All one needs is a bank account and a mobile phone linked to it or a debit card issued for the account.

NPCI has created BHIM and is working to bring about a revolution in the country’s financial payment ecosystem. The indigenization is to be lauded and we are great supporters of Make In India. We hope that NPCI will talk with us for an interview on IW_Talks!

While BHIM has created a storm in the Indian financial payments world, there is a lot of praise and kudos heaped by common users. It is of great help, no doubt, but there is a general impression that it is a bit too good for being brought up in so short a time. Then there have been public claims about the App and every security researcher loves to prove the system wrong (especially when faced with claims of mil-grade security )

Maybe BHIM should have started a bug bounty program at the time launch <LOL> but in any case the NPCI team can thank these researchers for their contributions.

We are putting together (without attribution) comments and findings shared in the public domain across various platforms and in private (news, websites, etc)

Item # 1 – code issues1

Item # 1.1 – code issues 2 – decompile with ease!

Question: Hi, so you were actually able to decompile the apk and extract the source code for this app. That would be a major red flag making this app non-compliant with PCI standards

Researcher: Yup it was easy, just changed the extension to zip and extracted and decompiled.

(Maybe it was made so on purpose, so you guys can easily check for issues:-))

Item # 3

Here are a few suggestions on BHIM app. Made a few transactions using BHIM app, the other person doesn’t receive any confirmation SMS, so there’s no way for the other person to know if the money is transferred unless he or she has Internet connectivity and opens the app to check. One of the failed transactions resulted in money being deducted from my account, and I wasn’t even aware of it until I opened the net banking (since there was no SMS confirmation on the money deducted or added)

Item # 4

I faced this same error while verifying payee”s virtual address. Many users are getting errors while registering, like ”Device binding failed” etc..

Item # 4 – is this hosted on AWS !

Item # 5 – a truecaller ‘wannabe’ in the making !

Someone tried this using my number and see what came up! Someone has to try some other risk scenarios but the researcher(s) are worried about negative reaction from the owners!

Update Jan 07 – Item # 6

Was testing the latest build of the BHIM App, found that they have addressed the Crypto issue, good to see a quick reaction.

But found something more grave today:
1. SQL queries were inline and that is a high potential risk. Please use procedures.
2. Instead of writing error statements, it is better to specify error codes.
3. Rest of the points already highlighted still stand straight.

Item # 7 – Issue on CERT-In Empanelment

This is the gist of the conversation between Rakesh Goyal and Saket Modi about testing by CERT auditors and that Lucideus is not empaneled with CERT. I believe that the response is somewhat unconvincing. However, I have a question – how come Lucideus could demonstrate and deliver high grade testing for NPCI but it flunked the CERT empanelment test which is supposed to be weak (according to industry folk). Anyway – this is the conversation:

Update Jan 09, 2017

Item # 8 – Confidential Disclosure

Today morning IW made a confidential disclosure of 5 issues in BHIM to NPCI. This will be made public after two weeks.

We are sure there are other researchers who have been submitting bugs directly to NPCI and we request them to please share the research on this blog.

Item # 9 – Issue released by Sameep Agarwal

@BHIM.NPCI I had promised my peers, that I would be writing more about the BHIM app but it got delayed because I overslept… Thank God did that.

Previously, I have shared my observations based on static analysis. Today, I just thought of doing the dynamic approach but I was taken aback when my Device registration through SMS exposed something hilarious….

The App doesn’t send the verification code from within the encapsulated code… rather it opens up the generic SMS utility ; it sends the numerical code of 13 digit in sms body to a 10 digit registered number 092XXXXXXX .

1. There are no multiple numbers mapped to Shortcode (eg: 58888), hence all traffic is just on one registered number.

2. A person with malicious intent can bombard this number, thus crowding the server and resulting in DDoS.

3. The Verification code can be tampered in plain text in the generic SMS utility itself.

4. I didn’t proceed ahead as I felt demotivated after the findings.

Our PM tweeted that BHIM has crossed 10 million users… My question : What about cyber security aspect that the government has been yelling?

I am again offering my service for free, if BHIM developers (Chhota Bheem) are serious about their stuff.

Call for Submission

The voluntary efforts of all community researchers will be appreciated by NPCI and the public at large. We request researchers to add their additional findings in the comments area below or to communicate with us and we will update this blog.

We shall be sharing the blog contents with NPCI and hope that they will take necessary remediation actions.

God Bless all Makers for India and God Bless the Information Security community.