In January 2021, in the midst of an intense virtual discussion among the members of a Reserve Bank of India (RBI) working group, Rahul Sasi, a cybersecurity specialist from Bengaluru, was suddenly struck with a golden idea. The 32-year-old Sasi, one of the members of the RBI working group that was studying various aspects of digital lending activities in the country, had no answer when a senior central banker raised a pertinent question: how safe are the online consumers using hundreds of mobile-based apps, especially by online retailers, in the absence of a regulator, in the country?
The RBI working group had found to its horror how over 1,000 apps had mushroomed in India in a few months of lockdown, and all of them were off the regulatory glare, offering a multitude of loans at a click. Most of them were illegal and employed dubious methods like social shaming and online harassment, driving defaulters to suicide. A slew of suicides and prima-facie serious complaints eventually forced the central bank to set up a working group to suggest guidelines.
According to a research study by CloudSEK, a digital risk management company founded by Sasi, India is the world’s biggest market for mobile lending apps on Android phones with the country being home to nearly 82% of all online lenders across the globe. As per its analysis, India had 887 active loans apps while the U.S. came at a distant second with 112 apps. Pakistan took the third place with 34, closely followed by South Africa (30) and Kenya (20).
The realisation that the consumers of mobile apps have absolutely no safety net gave birth to BeVigil, a security search engineer for mobile apps, claimed to be the first of its kind. “Today, when you install a mobile app, you do not know the application security quality. Consumers have to trust the mobile app and install it blindly. Also, many apps don’t go through any security reviews due to the high cost of testing. This eventually leads to online leak of consumer data,” says Sasi.
BeVigil helps users do an audit of the app before downloading it on the mobile. As a free solution to audit apps, it also helps app developers to undertake a security audit. Mobile applications often have vulnerabilities that compromise users’ safety, data, and privacy. BeVigil helps enable security researchers and app developers to uncover and resolve such vulnerabilities and make them safer for users.
In less than a month of its soft-launch, BeVigil has received over 10,000 submissions from all over the Internet. “We have observed that over 40 apps were having a security flaw. [The flaw is that app developers are hard-coding AWS keys inside the app packages, making it easy for anyone to steal them.] That is close to 0.5% of apps. The CTO of BeVigil, Shahrukh Ahmad, and his team analysed these incidents and reported them to AWS as well as the individual companies,” says Sasi.
With this data, they have estimated that there would be thousands of applications vulnerable to this flaw.
Since each of these apps will be handling millions of user data, the severity of the leak will be enormous. CloudSEK has responsibly disclosed the flaws to Amazon Web Services, a subsidiary of Amazon providing on-demand cloud computing platforms and Application Programming Interfaces (API is a software intermediary that allows two applications to talk to each other) to individuals, companies, and governments across the globe.
Over 100 million users’ data at risk
Hundreds of startups and corporate houses with millions of users on their mobile app are at risk due to a critical cybersecurity flow.
According to CloudSEK, a critical flaw in how mobile developers interact with Amazon Web Services (AWS) has put millions of users’ data at risk. AWS is a subsidiary of Amazon providing on-demand cloud computing platforms and Application Programming Interfaces (API is a software intermediary that allows two applications to talk to each other) to developers. An AWS user has an API key—sort of like the password to AWS. These API keys are to be kept secure, and any malicious users getting access to the keys will allow them to compromise the individual’s cloud account.
CloudSEK has observed that multiple large and small companies who have millions of users are storing the API keys in an insecure way; “hardcoding them inside their mobile apps”. This could be compromised by malicious hackers easily. In fact, a lot of high-profile hacks that happened recently was because of an AWS key leakage.
“Hardcoding an API key in a mobile app is the same as locking your house and hanging the keys in an envelope- that reads ‘do not open’,” says Sasi.
Of course, the flaw has nothing to do with AWS. “It is about how developers choose to use the AWS keys. The security concern we are reporting is specific to a customer application and/or how an AWS customer has chosen to use an AWS product or service. To be clear, the security concern we are highlighting must be addressed by the individual customers. AWS has the capability to revoke all the keys- but that will cause disruptions to their customers and services.”
When a consumer interacts with AWS, he / she specifies AWS security credentials to verify who he/she is and whether the consumer has permission to access the resources that he/she is requesting. AWS uses the security credentials to authenticate and authorise the request. “For example, if you want to download a protected file from an Amazon Simple Storage Service (Amazon S3) bucket, your credentials must allow that access. If your credentials aren't authorised to download the file, AWS denies your request. However, your AWS security credentials are not required to download a file in an Amazon S3 bucket that is publicly shared,” argues Sasi.
“The fact is that when you install a mobile app, you do not know the quality of the application’s security. But with BeVigil, users can ensure that they only install secure apps, and app developers can use it as a free solution to audit their apps. Mobile applications often have vulnerabilities that compromise users’ safety, data, and privacy. BeVigil will enable security researchers and app developers to uncover and resolve these vulnerabilities and make them safer for users,” Sasi adds.
According to CloudSEK, any user on the Internet can submit any Android Application for evaluation on the BeVigil platform. The engine will analyse the application and provide a risk rating, risk score and risk report. Risk rating would be High, Medium and Low and a score from 1 to 10. High-risk applications will have multiple security issues and have a low score [1-4]. Low-risk applications will have fewer security issues and a high score [7-10]. The scans performed would be indexed and available for search. This makes BeVigil, the internet’s first and only security search engine for mobile apps.
After raising more than $2 million earlier, CloudSEK is closing a $7 million funding backed by a few investors from the U.S., Singapore, and India. He says the license of Xvigil—an enterprise SaaS platform—is annual upfront from around 100 corporate customers such as Paytm, MakeMyTrip, Ola, Cred, Airtel, and all leading private banks. “Hence we are always cash positive,” he says.
“I believe cyber security should be a fundamental right. This is why we have made BeVigil free,” adds Sasi.