 "What we learnt by hacking 17 Indian start-ups worth $10 billion+")
Last month, we discovered security vulnerabilities in start-ups, including Ola, Zomato, HomeShop18, BookMyShow and others.
Almost every start-up here has security bugs
You might think that a start-up running for the last six years would be relatively bug-free. To our surprise, more than 70% of the companies we looked at had severe bugs, either comprising on user personal data or monetary loss to the start-up or users. There are start-ups with dedicated security teams and we were able to discover severe vulnerabilities in them.
Bug bounty programmes are unknown in Indian start-ups
Of the 17 start-ups we contacted, only two offered us bug bounty. Both were less than $100. As far as we know, only Ola Cabs and Paytm have a formal bug bounty programme amongst the bigger start-ups.
User data leak is a major problem
More From This Section
Imagine if three million users whose data were being leaked by start-ups start claiming compensation under Section 43A of the IT Act. Many start-ups leak user data somewhere in their API requests due to either a missing authorisation token or due to the token not being checked against the current logged in user.
A simple fact is that there is no way to avoid reverse engineering of your mobile app. If you are one of those apps that rely on ‘security through obscurity’ and think Proguard or putting your keys in Java Native Interface (JNI) would help keep that secret safe, please don’t. Anything that compromises your security does not belong to the client app, no matter how obfuscated its storage.
This is an excerpt from Tech in Asia. You can read the full article here. Abhishek Anand is a co-founder at Fallible, which is building a SaaS security product to help startups secure their apps and systems by monitoring and analyzing for security vulnerabilities.