A significant security vulnerability has come to light within the YONO SBI: Banking & Lifestyle mobile application, specifically in version 1.23.36. This flaw, designated as CVE-2025-45080, raises concerns for millions of users, as it involves the app’s reliance on unencrypted communications. Such a configuration could potentially expose sensitive banking information to malicious actors through a man-in-the-middle (MITM) attack.
Technical Details: Cleartext Traffic Enabled
The root of the vulnerability lies in the app’s Android configuration, particularly the inclusion of the android:usesCleartextTraffic="true" attribute within its AndroidManifest.xml file. This setting allows the app to transmit data over unencrypted HTTP connections instead of secure HTTPS. For Android applications targeting API level 28 (Android 9) or higher, the default value for this attribute is false, which mandates secure communications. However, YONO SBI’s current configuration explicitly permits cleartext traffic, thus breaching established security protocols.
This misconfiguration is categorized under CWE-319: Cleartext Transmission of Sensitive Information, highlighting a critical vulnerability where sensitive data is transmitted in plaintext, making it vulnerable to interception and manipulation by unauthorized entities.
Potential Impact: Eavesdropping and MITM Attacks
The allowance of cleartext traffic in a banking application poses several grave risks:
- Eavesdropping: Attackers can intercept unencrypted data, including login credentials, account details, and transaction information, as it traverses the network.
- Tampering: Malicious actors may modify data in transit, potentially redirecting funds or injecting harmful commands.
- Man-in-the-Middle (MITM) Attacks: Attackers can place themselves between the user and the bank’s servers, relaying and possibly altering communications without the user’s awareness.
- This scenario can result in credential theft, unauthorized transactions, or other fraudulent activities.
A typical MITM attack involves an attacker intercepting messages exchanged between the app and the server, modifying or reading them before forwarding, all while both parties remain oblivious to the breach.
Remediation and Recommendations
Security experts advise developers to explicitly set android:usesCleartextTraffic="false" and enforce HTTPS for all network communications. Furthermore, implementing an Android Network Security Config can offer detailed control over network security policies. This vulnerability was identified and disclosed by security researcher Ishwar Kumar, who demonstrated the issue by decompiling the APK, examining the manifest, and confirming the presence of unencrypted HTTP traffic using tools such as Burp Suite or Wireshark.
Given the critical nature of this vulnerability in a financial application, users are strongly encouraged to refrain from using the affected version until a security update is made available. The National Vulnerability Database (NVD) has documented the CVE record, and further updates from the app developers and the State Bank of India are anticipated.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
