Paytm users on a rooted phone were surprised when the app asked them for access to root privileges before they could use the app.
What is Root?
Rooting an android phone means unlocking the phone’s software bootloader to install unofficial software. Rooting allows those apps to access specific system settings which were by default locked down. It grants the user access to various subsystems of Android. Root is for the user only, but apps designed with root access can ask for permission and thus gain access to more resources.
Why was Paytm app asking for root access?
Paytm is used by people as an e-payments app to send and receive money. To make payments and book tickets online or anything other transaction where Paytm is enabled as a wallet. The app does not require any special permission. However, a French security researcher named Elliot Alderson found out that an old version of the app asked rooted users for root permission which would grant the app full control over the device. According to Paytm, users where being asked to provide root privileges so that Paytm could check the device and OS information
What has Paytm said about this?
Paytm has updated the config of their app which no longer asks the user for root access. Paytm CEO Vijay Shekhar Sharma said that the National Payments Corporation of India (NPCI) had asked them to check for users who have rooted their phone before they were granted access to make UPI payments.
Paytm says that they were checking for device and OS information. They will still be checking for root access but now which a new method which is foolproof. Paytm says that it doesn’t intend to do any of this.
Why should you be worried?
Root access is not like access to messages or call details. If an app is granted root access it has the potential to access information of other installed apps, read their personal information and also do tasks in the background with the user’s information. It is potentially a huge breach of security and a gateway for malware. Root can enable the app to exploit vulnerabilities within the installed apps.
So why didnt Paytm refuse NPCI earlier, if it can quickly drop the ‘root clause’ now?
We are guessing that as with all things government, Paytm probably found it easier to comply with what is clearly an absurd request from the NPCI, than try and make the effort to convince them about the judiciousness of such a request. And that’s really the charitable view. The PSU bank baced NPCI, of course, controls usage of UPI, besides being a permanent shadow over all wallets.
Of course, rooting a phone, while not rocket science, is also not everyone’s cup of tea, and other than users who have purchased a pre-owned phone, original users can safely be expected to be smart enough to recognise such a request as unreasonable, as was done in this case to bring it to the public domain. The total number of rooted phones are not available, and they shd be pretty small. So is this a major issue? Not really, other than showing up Paytm in poor light when it comes to standing up more firmly for the right thing, something the company under its charismatic leader has been trying to project for a long time.