Update: SBI has confirmed that the referred version (1.23.36) is an obsolete version released in April 2021 and is no longer available on the Play Store or App Store. The current version of the YONO App is 1.24.24, which is safe and secure, and no vulnerabilities have been found in this version.
A significant security flaw has been identified in the popular YONO SBI banking application that could potentially expose millions of users to cybersecurity threats.
The vulnerability, designated as CVE-2025-45080, affects version 1.23.36 of the YONO SBI: Banking & Lifestyle app and stems from insecure network configuration settings that allow unencrypted data transmission.
Summary
1. CVE-2025-45080 in YONO SBI app v1.23.36 allows unencrypted HTTP traffic due to insecure configuration settings.
2. Enables man-in-the-middle attacks where hackers can intercept and manipulate banking data during transmission.
3. Banking credentials, transactions, and personal data are vulnerable to theft, especially on public Wi-Fi networks.
4. Millions of SBI users at risk; experts advise avoiding the app on unsecured networks until patched.
Man-in-the-Middle Flaw in Older Version
The vulnerability centers around the Android application’s manifest configuration, specifically the presence of android:usesCleartextTraffic=”true” in the app’s AndroidManifest.xml file.
This setting explicitly allows the application to transmit data over unencrypted HTTP connections, contradicting modern security best practices for financial applications.
The affected app package com.sbi.lotusintouch essentially bypasses Android’s default security mechanisms that were implemented to protect user data.
Security researcher Ishwar Kumar, who discovered the vulnerability, demonstrated that the flaw can be exploited through a relatively straightforward process.
By decompiling the APK using tools like APKTool and examining the application manifest, researchers can confirm the presence of the insecure configuration.
Network analysis tools such as Burp Suite or Wireshark can then intercept and monitor the unencrypted traffic flowing between the app and its servers.
The technical implications are severe, as this configuration violates Android’s security guidelines for apps targeting API level 28 (Android 9) or higher, where cleartext traffic is disabled by default.
The vulnerability creates multiple attack vectors, including eavesdropping on sensitive communications, data tampering during transmission, and most critically, man-in-the-middle (MITM) attacks, where malicious actors can position themselves between users and legitimate banking servers.
Man-in-the-middle attacks enabled by this vulnerability could allow attackers to capture login credentials, monitor financial transactions in real-time, and potentially manipulate transaction data before it reaches legitimate servers.
Users connecting to public Wi-Fi networks or compromised network infrastructure would be at particularly high risk, as attackers could easily position themselves to intercept cleartext communications.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
