Fisdom - The Indian Wealth Management Startup app is leaking your unencrypted Financial data all over the network
Update - 20 March 2017 - Fisdom updated their app after the post was published. Response from their Engineering Head:
Good to see them act swiftly. Apparently they have had issues with getting SSL to work from some of the Android devices, specifically Mi devices, because of which, they chose to remove SSL on the Android app until things are figured out.
While I appreciate Fisdom’s swift response, I would still not agree to their justification of withdrawing HTTPS to cater to a small number of devices, especially being a Finance app, while advertising bank grade security.
Startups like Fisdom are valuable to our Fintech industry in giving the much needed digital push to take it outside of the old-school paper model. I wish Fisdom the very best and you still have my confidence that my money is safe with you.
Recently I have started using an app called Fisdom after it has been in a lot of news all over.
Essentially a wealth management app, not that I have any large wealth that needs to be managed, but I found their option to make small investments in Mutual Funds very easy as it was totally paperless and very convenient. I liked the app and in fact, the review I left for their app on Play Store, was featured on their website as well.
What I thought to be a very innovative start up has proved to be yet another Indian start up that makes a lot of noise but not really what they claim to be.
I was impressed when they claimed “Bank Grade Security” etc.
But when I saw what lied under the hood, it wasn’t a big surprise, as it turned out to be yet another run of the mill Indian Startup that gave no damn to security or privacy of their customers. Despite being a wealth management app with “Bank Grade Security”. Lol.
All the APIs of the app uses the non-secure HTTP protocol, and not HTTPS.
What this means is that the owner of the network you are using, or anyone on that network with the right tools, or your ISP, or anyone that has access to a router in your network, can very easily intercept and read, and collect, all your financial details that you can see on your Fisdom app. That includes the list of Mutual Funds that you hold, their portfolio numbers, their values, your recurring payment, any financial plans or goals that you have set for yourself on the app - everything!
I dropped a note to one of their co-founders warning them of the same. Not sure when they plan to upgrade their APIs to use HTTPS, but I am not using the app until then, and will probably move whatever little money of mine I have in Fisdom to a different bank soon. Meanwhile, if you use Fisdom, stay away from the app and make sure to not use it on any public network. And even on your own network, use it minimally only to move your funds elsewhere.
Looking at a news piece about their recent funding -
No Fisdom! You should not spend that money on just acquiring customers and expanding your team. You should spend it on securing your platform. Get an SSL certificate. It costs nothing these days FFS!