Oppo Kash, a financial services app that the Chinese company, best known in India for its smartphones, launched here earlier this year, asks users for root access on their Android phones that will give it complete control of the devices, a security researcher has claimed. The good news — the scope for misuse is limited, as the root access can only be gained on devices that are already rooted or modified by users through a systemless root process. The bad news — if you're using a rooted Android phone, this could give Oppo Kash complete control over the phone that's in your hands.
Bug-bounty hunter Athul Jayaram discovered the issue while randomly going through Google Play on a rooted phone. After installing the app, he noticed that the Oppo Kash app asked for superuser rights. This struck him as something odd, as most of the popular apps don't have such requirements.
He first reached out to the Oppo Kash developers, through the Oppo Security Response Center. Oppo told him it considered the issue to pose "no danger" but he disagreed, and pointed out that a financial application like Oppo Kash shouldn't be asking for root access in any case. "The intention of the application developers and the company is not right," he said told Gadgets 360 after getting this response.
Oppo, in response to questions from Gadgets 360, said that it was using root access on the Oppo Kash app to provide enhanced security to users.
“A users' information may be obtained by malicious act of other apps when the app runs on a rooted device. In order to better guarantee the security of OPPO Kash users' information and property, as well as the security of payment, our product has a code for environmental security detection. The purpose of this code is to detect whether the current device has been rooted, so as to avoid possible adverse impact on users' information and property security. It is this security mechanism that may lead to misunderstanding,” said Zafar Imam, Lead, Oppo Kash, in a prepared statement.
Jayram questioned the statement, and said, “Gaining root access on Android is the process of modifying the operating system that shipped with your device to acquire complete control over it."
However, cybersecurity consultant Andrew Tierney said that the seriousness of this issue depends on what was being done. He said, "Some apps have code in them that tries to run a root command — if it works, then it knows the phone is rooted. This is called root detection or jailbreak detection. I don't think the app will ask for root access."
Root access means access to all data on your phone
Tierney, who was recently in the news for his research on how Xiaomi phones were gathering user data, told Gadgets 360 that once a developer gained root access through an app, the developer could access any data stored in the filesystem of the phone. “There are some tiny exceptions to that, but they can intercept all traffic, look at all photos,” he said.
Tierney also mentioned that there should be no reason for root access except for inspecting how apps work.
“There's no good reason for a payment app to ask for root,” he underlined. “A normal app can ask for permissions, interact with the NFC, connect out, run processes, read contacts. Root gives you access to data stored in other apps, including your photos, messages, emails, any passwords. It also lets you install a custom root certificate and intercept browser traffic.”
However, Tierney also noted that this only applies if a user is using a rooted phone. He said that on a non-rooted phone, each app runs in an isolated sandbox.
Previously, other companies including Paytm and Facebook have also been called out for asking for this level of access from users devices. Paytm had been called out on Twitter for asking for root access, and had stated that this was required by the National Payments Council of India (NPCI) as a part of the Unified Payments Interface platform. However, after it was called out, the app stopped asking for root access, as per reports from the time.
Facebook meanwhile was running a VPN app, and it was paying users to use it. In return, Facebook was getting access to the entirety of their user data — as a result of which, Apple revoked Facebook's developer certificate to the App Store.
Oppo Kash has nearly two lakh downloads
Available for download through Google Play, the Oppo Kash app already has over 1,84,000 downloads. The app was also set to come preloaded on all Oppo phones, though it isn't a part pre-installed apps on some of the recent Oppo phones, including the Reno 4 Pro.
Preloaded apps on smartphones have come under scrutiny in the past as these aren't always easy to remove or disable. A tech lead on the Android security team, Maddie Stone, revealed how pre-installed apps on Android devices can undermine user privacy, while speaking at BlackHat USA, 2019.
More than 50 privacy activists sent an open letter to Google at the start of this year, asking the company to do more to defend the privacy of Android users. This is a problem that more commonly affects lower-cost devices, and so is also more prevalent in countries like India.
The Oppo Kash app launched in March as the company's “one-stop solution” for offering financial services including mutual fund investments, personal loans, business loans, and even screen insurance.
Oppo notably brought its solution just months after its sibling Realme introduced the Realme PaySa app in the Indian market. Both Oppo Kash and Realme PaySa are powered by Oppo's fintech subsidiary FinShell. However, Jayaram confirmed to Gadgets 360 that the root access issue isn't available on the Realme offering.
The Oppo Kash app is also an answer to Xiaomi's Mi Credit that was relaunched in December. Jayaram told Gadgets 360 that the Mi Credit app isn't requiring root access and works without superuser permissions on a rooted phone.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.