Amid the state rhetoric and push for ‘digital India’ security experts have found that hackers can gain access to a user’s account details in government’s BHIM app with just basic programming skills. This serious security flaws discovered in the BHIM app could dent the government’s digital push.
The government is set to link the Aadhar card to the newly launched BHIM app for making e-payments through mobile devices.
“The BHIM app is written in a very amateur way and the entire code is unprotected, which means it can be easily downloaded and modified by anyone,” a Mumbai-based security expert Prashant Mali said.
The programme codes of the app are easily procured. It is effortless for any hacker could download the .apk file of the app and modify parts of the code in such a way that once the user’s bank details are keyed in, the hacker could take control of the account. Fake apps resembling the original can be generated with little effort.
In addition the app is also vulnerable to a ‘denial of services’ attack, wherein hackers flood servers with fake transactions to bring them down, Business Line reported.
“The app also has SQL injection vulnerability, using which hackers can extract bank account details easily,” Mali added. SQL stands for Structured Query Language, used to communicate with a database.
Experts believe the app was written in haste, due to which such errors were not rectified in the testing phase. The Centre has been pushing citizens to adopt digital payment methods with the result that most companies developing apps have put them through inadequate tests.
There have been issues with other digital payment platforms, too. During the demonetisation drive, Paytm launched its merchant app, which allowed traders and shopkeepers to accept credit and debit cards without investing in a PoS terminal. However, it was withdrawn a day later after experts pointed out holes in its system.