Paytm stops seeking root access of users’ devices after outcry
If granted root access, an application can get access to all the data including SMS, Call, Draw Over Other apps and other sensitive data.tech Updated: Mar 13, 2018 20:14 IST
Paytm has stopped seeking root access to users’ device after a number of people raised concerns over privacy. Root access is essentially a special permission which if granted can allow an application to read your messages and call history. Paytm, however, says the access was sought in a bid to comply with NPCI’s guidelines.
Reported by a Twitter user who goes by name of Elliot Alderson, Paytm was found seeking root access of certain Android devices. The user claimed that Paytm had contacted him on Twitter and removed the root rights request. Now, Paytm is just checking if the device is rooted or not.
Another Twitter user Bibhas Debnath also posted a screenshot of the application seeking root permission. Responding to the user, Paytm CEO Vijay Shekhar Sharma said it was enabled in order to follow NPCI’s guideline to check for rooted devices to further enable UPI.
Paytm claims that it never accessed private messages and other data of users. Deepak Abbot, a senior Paytm official, said that the root access was aimed to perform a small check and that Paytm didn’t breach customers’ trust.
... NPCI asked us to check rooted phone via this permission for enabling UPI ...— Vijay Shekhar (@vijayshekhar) March 8, 2018
I still standby what I wrote. I just didn't want to drag it. I was trying to highlight a bigger point which was being overlooked— Deepak Abbot (@deepakabbot) March 8, 2018
It is worth noting that RBI in one of its draft guidelines had mentioned that “The mobile app should not be allowed to be installed on rooted devices.” This was however not mentioned in the final directives, according to a MediaNama report.
Paytm declined to comment on our queries on the issue.
What is root access and why you should be worried
In simpler terms, root access is a set of permissions that allows one to take full control of a device. This means if an application has such access, it can read your messages and even make changes to your device at a certain level. While it is highly dangerous for users’ privacy, the applications with such sensitive data can themselves become big targets of cybercrime and hackers.
Bangalore-based developer Harsha Halvi said, “Android users by default are not given root access because there are so many security implications that arise with it. Paytm wanted to check if the phone a user is using is rooted or not (because of NCPI Rules and Regulations) and decided to do that with Root Access. The problem with that is they can get access to all the data (SMS , Call , Draw Over Other apps , and many more) without even asking user’s permission for it.”
“The recommended and reliable way to the same is to rely on SafetyNet Attestation API but it’s a cat and mouse game and it’s impossible to tell if a phone is rooted or not with a ~80+% accuracy rate,” he added.