Security Analysis of Unified Payments Interface and Payment Apps in India

Authors: 

Renuka Kumar, University of Michigan; Sreesh Kishore, Amrita Vishwa Vidyapeetham; Hao Lu and Atul Prakash, University of Michigan

Abstract: 

Since 2016, with a strong push from the Government of India, smartphone-based payment apps have become mainstream, with over $50 billion transacted through these apps in 2018. Many of these apps use a common infrastructure introduced by the Indian government, called the Unified Payments Interface (UPI), but there has been no security analysis of this critical piece of infrastructure that supports money transfers. This paper uses a principled methodology to do a detailed security analysis of the UPI protocol by reverse-engineering the design of this protocol through seven popular UPI apps. We discover previously-unreported multi-factor authentication design-level flaws in the UPI 1.0 specification that can lead to significant attacks when combined with an installed attacker-controlled application. In an extreme version of the attack, the flaws could allow a victim's bank account to be linked and emptied, even if a victim had never used a UPI app. The potential attacks were scalable and could be done remotely. We discuss our methodology and detail how we overcame challenges in reverse-engineering this unpublished application layer protocol, including that all UPI apps undergo a rigorous security review in India and are designed to resist analysis. The work resulted in several CVEs, and a key attack vector that we reported was later addressed in UPI 2.0.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {247668,
title = {Security Analysis of Unified Payments Interface and Payment Apps in India},
booktitle = {29th {USENIX} Security Symposium ({USENIX} Security 20)},
year = {2020},
address = {Boston, MA},
url = {https://www.usenix.org/conference/usenixsecurity20/presentation/kumar},
publisher = {{USENIX} Association},
month = aug,
}