Team-BHP (https://www.team-bhp.com/forum/)

-   Shifting gears (https://www.team-bhp.com/forum/shifting-gears/)

-   -   RBI asks PayTM Bank to wrap up all operations by March 15 (https://www.team-bhp.com/forum/shifting-gears/276408-rbi-asks-paytm-bank-wrap-up-all-operations-march-15-a-10.html)

I moved out balance from my existing Paytm payment bank to airtel payment bank. Good thing is our airtel mobile number is our account number. It took flat 3 minutes to activate and I linked this to the existing paytm app.

The Paytm app, like all UPI apps, refuses to work unless the Phone (for IMEI access mainly - so that the app can detect if the phone+SIM combination has been altered and if yes, ask the user to re-authenticate) and SMS (to send the authentication SMS without user intervention, as the UPI specification mandates) permissions are granted.

Off topic!

There are much more easier ways to get that info than reading texts, which requires explicit permission and could easily be traced later. The dealerships sell data and I too get many calls around the insurance renewal time. I asked one of them how they got my details and they said the dealership shared.

I believe many businesses we interact with shares (read: sells) data or it gets leaked somehow. It’s not uncommon.

I don’t think iPhones do this. Even in this case, it drafts the text message and prompts the user to click send. It won’t allow sending a text without user intervention. iOS doesn’t even allow apps to read text messages; only limited access to OTP. It may be possible on android phones though.

UPI's security model requires the ability satisfy itself that the handset on which the app is installed also contains the SIM card on which UPI is being activated. It performs this check upon first activation and then monitors the device for changes in the device/SIM configuration.

This check is performed by sending an SMS message without user intervention via the SIM card in question. The backend verifies the phone number from which the SMS came, and the information contained in the message payload to conclude this verification.

If iPhones do not allow this but instead brings up the SMS app and show the message as a draft, then it is theoretically possible for an attacker to copy over that draft message to another (attacker-controlled) phone and send it from there. Then the validation will be of the victim's phone number on the attacker's phone.

[Note: just saying that is would be theoretically possible; I have not looked into the practical feasibility of such an attack]

UPI on Android also needs to read SMS only for OTPs.

But Apple has made an exception for the TRAI DND app (permitting it to read all SMS; not just OTP) in India when threatened with a ban.

Yeah without permission you cannot read messages. But reading unrelated messages in not feasible? I disagree. We have built a simple app to read all messages to understand the income & expenses pattern and then give suggestions to user on how to improve his spending and save better. If a team of two can do it, I guess paytm can easily do a lot more than that.

Didn't know that, Thanks for correcting :thumbs up
So my next question is, if I don't grant "SMS permission" can it still read the inbox ? And can it just read the inbox or even Archives ?

If that number of wallets are actually inoperative then what value will Jio or HDFC consider/ agree upon for Paytm??

Source:https://www.businesstoday.in/markets...174-2024-02-05

Sorry for going off-topic again. @Mods, please move it to a new thread or take it down if it's not relevant.

I agree with the UPI implementation you explained. However, iOS doesn't allow sending a text message from the background, unlike Android (I just verified the documentation again). As per my understanding, iOS does not have a developer API to read text messages or send text messages without user intervention. Even to access the OTP, iOS parses the OTP out of the text message and only the code is exposed to the apps. I'd be happy to be corrected if someone can share a reference to the official documentation.

Here's a screenshot of the message prompt when I tried setting up UPI.



Also, I agree that this is completely possible with Android. Android developer APIs allow app developers to read an incoming message or send a text message without user intervention, provided the user has granted the necessary permissions to do so.

About the security concern you raised, I don't really see an issue where the attacker copies the UPI secret. If an attacker has access to the device, it may be possible to grab the secret using various methods, irrespective of whether it's in the background or not, and regardless of the OS being iOS or Android (e.g., by using a network monitoring tool). So, I think if you hand over the phone to an attacker, there's no point in discussing the security issues.

I'm not specifically referring to UPI; I'm talking about any SMS. As I mentioned earlier, Android APIs indeed allow developers to read the text message as it is.

I didn't know this, but yes, they could (as a government entity, as an exception). I would love to know more about the implementation.

Is it an iOS app? Could you please share the app link or provide any references?

No, the apps cannot. Again, happy to be corrected. As I mentioned earlier, iOS does not allow inbox access (a government entity may be allowed, but that's a different thing). And even on Android, it doesn't allow access to past messages, as far as I know. My understanding is that Android allows apps to read an incoming text message.

Please note that I'm not trying to argue but just stating based on my understanding. I'm genuinely interested in these topics, and I welcome corrections if I'm wrong.

With older Android version it was possible, but Google tightened this and since last 2-3 years this is blocked. But without permission one can read the OTP messages even now.

It's an Android app we developed for customer and they are the one to promote the app. Not sure about the link as we did it 2 years ago!

That is/was my understanding too as the objective of the SMS permission is to essentially read OTPs/validation codes automatically going forward so the access of the entire Inbox doesn't seem very logical and a major privacy concern IMHO.
I would guess that a simple way would be to have a registration-id embedded in the app which can read messages from the sender linked to that id only and not everyone.
But since xcentrk has mentioned that they've developed an app which does it and I don't have any knowledge of how the latest SMS permission works, so I will keep it in a grey area.

OT:
Although this does hammer home the point of a review of all apps and permissions and a review of the android and iOS environments from a security and privacy standpoint which of course is outside the scope of this discussion.

Appending the response to the latest post which was missed :
Thankfully, but still reading messages without permission ? I thought this has changed since Android 11/12 at least when we had to explicitly provide all permissions.
So on the latest SDK is there an API which returns a list of messages ?

True! That sounds strange!

Okay. When I said it's not possible to read texts, I was specifically referring to iOS.

My understanding was that the app could register a listener to receive incoming text messages and the listener gets the message contents whenever an SMS arrives. This gives apps access to the messages without giving a list or read access to the inbox. But it seems possible on Android.

https://youtu.be/9fIiQ9YQ7BI?si=nieadpDwnMFBfGX_

If I remembered correctly, things were very lax before Android 9. We can literally do anything and store data in server as we wish. But with the release of Android 9, things started to get more serious. And Android 10 and above have made lot more changes towards privacy and data management so much so, that few of our applications are removed because of policy violations just because we are using the permissions. We had to change a lot to re-publish the app even though we haven't used those data in a malicious way.

With READ_SMS permission, we can get list of all SMS from Inbox, draft and sent.

iOS is a lot more strict when it comes to privacy and data storage. Google has been catching up lately and things are becoming harder for small developers who want to play with user's data. But even then, Android still needs a lot more improvement.

The concern is that an attacker could take control of your device for a short period of time and do their shenanigans without you knowing. It is a very valid concern in the mobile world. There are dozens of use-cases where you have to hand over the phone to an attacker; security professionals cannot ignore those.

Also note that with the prevalence of encryption/TLS, network monitoring tools can't do much these days.

You don't need SMS permission to read an OTP sent by your own backend to your app. Android manages this without requiring you to ask access to SMS messages at all. See: https://developers.google.com/identi...iever/overview

In android there are 3 SMS-related permissions: SEND_SMS (to send an SMS, needed by UPI apps), RECEIVE_SMS (to access incoming SMS messages) and READ_SMS (to access SMS already on the device). These three are grouped into an SMS permission group and are requested for / granted as together. Typical use-cases for these permissions are SMS management applications and Banking/UPI applications. On my device the Windows Phone Link has this permission (to read/send SMS from my PC) and so does the dialler app.

See above. Without the SMS permission, Android will deliver only those SMS messages to your app that contain a magic incantation. With the SMS permission(s), it is complete free-for-all.

I agree it cannot be ignored but I'm just saying if you hand over the phone to an attacker, then there are a lot of possibilities.

I just want to reiterate the original point I raised; I mean, I was only talking about iPhones and not Android. iOS does not allow apps to read or send texts. I have shared the screenshot in my previous post showing the message draft poping up since the app cannot send the message.

Just curious, when Android devices send text messages automatically, won't they remain in the sent messages list? In that case, anyone could access the message, right?

True. Will be a fire sale.

In addition, the wallet business also entails the baggage of dodgy KYC isn't it?
Unless RBI agrees to give the acquirer a large leeway to clean up things, can't see why would anyone want to pay money and end up with a bunch of dodgy accounts.

Does the acquirer of the wallet business also get to acquire the fastag business?