A $10 billion Indian startup has changed the permissions required by its app after being called out by an anonymous Twitter handle.
Paytm has reportedly removed the “Superuser” access that its app requested on rooted phones following an online campaign led by anonymous French security expert Elliot Alderson. Alderson, who goes by the name of the hacker protagonist on the show Mr. Robot, has been pointing out vulnerabilities in Indian government websites for the last few weeks. He’s gained a sizable Twitter following, with users often giving him suggestions on which sites to target next. Yesterday, he’d trained his sights on Paytm.
.@Paytm here I come!
Spoiler: There is no good reason to ask root permission for this app pic.twitter.com/IFinNotFaL— Elliot Alderson (@fs0c131y) March 8, 2018
Alderson said that Paytm had no reason to need a Superuser permission on rooted phones. The superuser permission, if granted, essentially gives the control of the entire phone to Paytm — Paytm could, hypothetically, make any changes to a user’s phone if they liked, including reading all private messages, access confidential data, and even make changes to apps.
Paytm CEO Vijay Shekhar Sharma said on Twitter that the reason that Paytm asked for the Superuser permission was because the NPCI, the body that regulates UPI payments, asked it to.
… NPCI asked us to check rooted phone via this permission for enabling UPI …
— Vijay Shekhar (@vijayshekhar) March 8, 2018
Paytm VP Deepak Abbot also responded to Alderson’s original tweet, arguing that even if Paytm did have the Superuser permission, they were a responsible company and wouldn’t go ahead and use it. This alarmed some Twitter users, who said that simply having the permission would make Paytm vulnerable to hackers. “That will make PayTM/UPI the target of *every* two bit hacker in the world. Asking for this permission is *equal* to shipping a phone with PayTM/UPI at root level like google does. This is not good,” said a user. Abbot later deleted his tweets.
After our discussion, @deepakabbot deleted all his tweets. This is not a good way to start @Paytm… pic.twitter.com/I5q1Ze19wV
— Elliot Alderson (@fs0c131y) March 8, 2018
But today, Alderson said that Paytm had contacted him privately, and assured him they’d removed the Superuser request.
After this tweet, @Paytm contact me in private. Today, according to them, they remove remotely this root rights request. Do you confirm it? https://t.co/nAnTRrd00l
— Elliot Alderson (@fs0c131y) March 9, 2018
People confirmed that Paytm had indeed taken down the permission.
They removed the root permission.
— Mohd Asif (@mha3if) March 9, 2018
Can confirm.. don't see the prompt now.. great and fair job you both @Paytm @fs0c131y
— Kapil Adhikesavalu (@kapilathi) March 9, 2018
Rooted phones allow users complete control over their devices, but also present a security risk — phone manufacturers typically void the warranty if a user roots their phones, and several apps, such as Netflix and Google Tez, don’t even run on rooted phones. Rooted phones are an even bigger risk for applications that deal with sensitive information, such as banking and payment apps. But Paytm’s solution for running its app on rooted phones was unusual — in order to warn people to not run its app on rooted phones, it was essentially asking to become the root user itself. This, according to security researchers, had the potential to create even more security vulnerabilities, while at the same time giving Paytm unrestricted access to users’ phones.
But Paytm’s removal of its Superuser access raises some more questions — does NPCI really require UPI apps to ask for Superuser access? And do other apps also comply with these guidelines? With thousands of crores now being transferred using UPI apps, some clarity on these issues will clear the air — it shouldn’t require a faceless French hacker to point out vulnerabilities in our core financial systems.
We’ve contacted Paytm about the issue and will update the article if we hear back.