A major security vulnerability has been discovered in the YONO SBI: Banking & Lifestyle mobile application, version 1.23.36, which could put millions of users at risk.
The flaw, officially cataloged as CVE-2025-45080, centers on the app’s use of unencrypted communications, potentially exposing sensitive banking information to attackers through a man-in-the-middle (MITM) attack.
Technical Details: Cleartext Traffic Enabled
The vulnerability is rooted in the app’s Android configuration, specifically the use of the android:usesCleartextTraffic="true" attribute in its AndroidManifest.xml file.
This setting permits the app to transmit data over unencrypted HTTP connections rather than secure HTTPS.
For Android applications targeting API level 28 (Android 9) or higher, the default value for this attribute is false to enforce secure communications, but YONO SBI’s configuration explicitly enables cleartext traffic, violating best security practices.
xml<application
android:usesCleartextTraffic="true"
...>
</application>
This misconfiguration falls under CWE-319: Cleartext Transmission of Sensitive Information, a critical weakness where sensitive or security-critical data is sent in plaintext, making it susceptible to interception and manipulation by unauthorized parties.
Potential Impact: Eavesdropping and MITM Attacks
Allowing cleartext traffic in a banking application introduces several severe risks:
- Eavesdropping: Attackers can intercept unencrypted data, such as login credentials, account details, and transaction information, as it travels over the network.
- Tampering: Malicious actors may alter data in transit, potentially redirecting funds or injecting malicious commands.
- Man-in-the-Middle (MITM) Attacks: Attackers can position themselves between the user and the bank’s servers, relaying and possibly modifying communications without the user’s knowledge.
- This can lead to credential theft, unauthorized transactions, or fraudulent activity.
A typical MITM attack involves an attacker intercepting messages between the app and the server, modifying or reading them before passing them along, all while both parties remain unaware of the intrusion.
Remediation and Recommendations
Security experts recommend that developers explicitly set android:usesCleartextTraffic="false" and enforce the use of HTTPS for all network communications.
Additionally, implementing an Android Network Security Config can provide granular control over network security policies.
The vulnerability was discovered and disclosed by security researcher Ishwar Kumar, who demonstrated the issue by decompiling the APK, inspecting the manifest, and confirming unencrypted HTTP traffic using tools like Burp Suite or Wireshark.
Given the critical nature of this flaw in a financial app, users are urged to avoid using the affected version until a security update is released.
The National Vulnerability Database (NVD) has published the CVE record, and further updates from the app developers and the State Bank of India are awaited.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, officially cataloged as CVE-2025-45080, centers on the app’s use of unencrypted communications, potentially exposing sensitive banking information){kind=link}