In January 2021, in the midst of an intense virtual discussion among the members of a Reserve Bank of India (RBI) working group, Rahul Sasi, a cybersecurity specialist from Bengaluru, was suddenly struck with a golden idea. The 32-year-old Sasi, one of the members of the RBI working group that was studying various aspects of digital lending activities in the country, had no answer when a senior central banker raised a pertinent question: how safe are the online consumers using hundreds of mobile-based apps, especially by online retailers, in the absence of a regulator, in the country?
The RBI working group had found to its horror how over 1,000 apps
had mushroomed in India in a few months of lockdown, and all of them were off
the regulatory glare, offering a multitude of loans at a click. Most of them
were illegal and employed dubious methods like social shaming and online
harassment, driving defaulters to suicide. A slew of suicides and prima-facie
serious complaints eventually forced the central bank to set up a working group
to suggest guidelines.
According to a research study by CloudSEK,
a digital risk management company founded by Sasi, India is the world’s biggest
market for mobile lending apps on Android phones with the country being home to
nearly 82% of all online lenders across the globe. As per its analysis, India
had 887 active loans apps while the U.S. came at a distant second with 112
apps. Pakistan took the third place with 34, closely followed by South Africa
(30) and Kenya (20).
The realisation that the consumers of
mobile apps have absolutely no safety net gave birth to BeVigil, a security
search engineer for mobile apps, claimed to be the first of its kind. “Today,
when you install a mobile app, you do not know the application security
quality. Consumers have to trust the mobile app and install it blindly. Also,
many apps don’t go through any security reviews due to the high cost of
testing. This eventually leads to online leak of consumer data,” says Sasi.
BeVigil helps users do an audit of the app
before downloading it on the mobile. As a free solution to audit apps, it also
helps app developers to undertake a security audit. Mobile applications often
have vulnerabilities that compromise users’ safety, data, and privacy. BeVigil
helps enable security researchers and app developers to uncover and resolve
such vulnerabilities and make them safer for users.
In less than a month of its soft-launch,
BeVigil has received over 10,000 submissions from all over the Internet. “We
have observed that over 40 apps were having a security flaw. [The flaw is that
app developers are hard-coding AWS keys inside the app packages, making it easy
for anyone to steal them.] That is close to 0.5% of apps. The CTO of BeVigil,
Shahrukh Ahmad, and his team analysed these incidents and reported them to AWS
as well as the individual companies,” says Sasi.
With this data, they have estimated that
there would be thousands of applications vulnerable to this flaw.
Since each of these apps will be handling
millions of user data, the severity of the leak will be enormous. CloudSEK has
responsibly disclosed the flaws to Amazon Web Services, a subsidiary of Amazon
providing on-demand cloud computing platforms and Application Programming
Interfaces (API is a software intermediary that allows two applications to talk
to each other) to individuals, companies, and governments across the globe.
Over 100 million users’ data at risk
Hundreds of startups and
corporate houses with millions of users on their mobile app are at risk due to
a critical cybersecurity flow.
According to CloudSEK, a critical flaw in
how mobile developers interact with Amazon Web Services (AWS) has put millions
of users’ data at risk. AWS is a subsidiary of Amazon providing on-demand cloud
computing platforms and Application Programming Interfaces (API is a software
intermediary that allows two applications to talk to each other) to developers.
An AWS user has an API key—sort of like the password to AWS. These API keys are
to be kept secure, and any malicious users getting access to the keys will
allow them to compromise the individual’s cloud account.
CloudSEK has observed that multiple large
and small companies who have millions of users are storing the API keys in an
insecure way; “hardcoding them inside their mobile apps”. This could be
compromised by malicious hackers easily. In fact, a lot of high-profile hacks
that happened recently was because of an AWS key leakage.
“Hardcoding an API key in a mobile app is
the same as locking your house and hanging the keys in an envelope- that reads
‘do not open’,” says Sasi.
Of course, the flaw has nothing to do with
AWS. “It is about how developers choose to use the AWS keys. The security concern
we are reporting is specific to a customer application and/or how an AWS
customer has chosen to use an AWS product or service. To be clear, the security
concern we are highlighting must be addressed by the individual customers. AWS
has the capability to revoke all the keys- but that will cause disruptions to
their customers and services.”
When a consumer interacts with AWS, he /
she specifies AWS security credentials to verify who he/she is and whether the
consumer has permission to access the resources that he/she is requesting. AWS
uses the security credentials to authenticate and authorise the request. “For
example, if you want to download a protected file from an Amazon Simple Storage
Service (Amazon S3) bucket, your credentials must allow that access. If your
credentials aren't authorised to download the file, AWS denies your request.
However, your AWS security credentials are not required to download a file in
an Amazon S3 bucket that is publicly shared,” argues Sasi.
“The fact is that when you install a
mobile app, you do not know the quality of the application’s security. But with
BeVigil, users can ensure that they only install secure apps, and app
developers can use it as a free solution to audit their apps. Mobile
applications often have vulnerabilities that compromise users’ safety, data,
and privacy. BeVigil will enable security researchers and app developers to
uncover and resolve these vulnerabilities and make them safer for users,” Sasi
adds.
According to CloudSEK, any user on the
Internet can submit any Android Application for evaluation on the BeVigil
platform. The engine will analyse the application and provide a risk rating,
risk score and risk report. Risk rating would be High, Medium and Low and a
score from 1 to 10. High-risk applications will have multiple security issues
and have a low score [1-4]. Low-risk applications will have fewer security
issues and a high score [7-10]. The scans performed would be indexed and
available for search. This makes BeVigil, the internet’s first and only
security search engine for mobile apps.
After raising more than $2
million earlier, CloudSEK is closing a $7 million funding backed by a few
investors from the U.S., Singapore, and India. He says the license of Xvigil—an
enterprise SaaS platform—is annual upfront from around 100 corporate customers
such as Paytm, MakeMyTrip, Ola, Cred, Airtel, and all leading private banks.
“Hence we are always cash positive,” he says.
“I believe cyber security
should be a fundamental right. This is why we have made BeVigil free,” adds
Sasi.
Scoure: fortuneindia.com
Comments
Post a Comment