YONO SBI App Vulnerability (CVE-2025-45080) Exposes Millions to Man-in-the-Middle Attacks

What Happened?

A newly disclosed vulnerability in the YONO SBI: Banking & Lifestyle app (version 1.23.36) puts millions of users at risk of Man-in-the-Middle (MITM) attacks due to insecure network configurations. Identified as CVE-2025-45080, the flaw stems from the use of unencrypted HTTP traffic, a critical security misstep in any financial application.

Key Highlights of the Vulnerability

• CVE-2025-45080 affects YONO SBI app version 1.23.36.

• Caused by android:usesCleartextTraffic="true" in the manifest file.

  
  

• Allows unencrypted data transmission via HTTP.

• Can be exploited using Wi-Fi sniffing and MITM attack tools.

• Users' login credentials, personal details, and financial transactions are at high risk.

• Assigned a CVSS v3.1 score of 8.8 (High severity).

Technical Breakdown: What Went Wrong?

The Configuration Flaw

The YONO SBI Android app’s manifest file contains the entry:

<application android:usesCleartextTraffic="true">

This setting explicitly permits the app to send and receive data via unencrypted HTTP, even when Android OS security best practices disallow cleartext traffic by default since API level 28 (Android 9.0).

This opens the door to MITM attacks on public Wi-Fi or compromised networks where attackers can observe or alter HTTP traffic.

How Attackers Exploit the Vulnerability

Tools Required:

• APK decompiler like APKTool

• Network sniffing tools such as Wireshark or Burp Suite

Attack Steps:

1. Decompile the APK to confirm the insecure configuration.

2. Connect to the same network as the victim (e.g., a café Wi-Fi).

3. Use a proxy to intercept unencrypted HTTP data.

4. Read or tamper with login credentials, transaction data, or PII.

No special authentication or exploit payload is required — just being on the same network and watching the traffic is enough.

What Is a Man-in-the-Middle Attack?

A Man-in-the-Middle (MITM) attack occurs when a malicious actor secretly intercepts or alters communication between two parties — in this case, between the YONO SBI app and the bank's servers.

Attackers can:

• Steal login credentials

• Monitor account balances

• Alter transaction values

• Redirect payments

Risk Summary

Who Discovered the Vulnerability?

Security researcher Ishwar Kumar responsibly disclosed the flaw. The vulnerability was found through APK reverse engineering and validated with network traffic monitoring tools.

Why This Is a Big Deal

 Banking apps handle:

• Authentication data

• Account balances

• Transaction records

• User PII

Sending any of this over HTTP is a major red flag. While HTTPS encrypts traffic, HTTP does not — making it easy for attackers to read or manipulate data in transit.

Real-World Scenarios of Exploitation

Public Wi-Fi Danger

Users accessing the YONO SBI app on airports, cafés, or hotel Wi-Fi could unknowingly expose their banking data to attackers on the same network.

Rogue Access Points

Attackers could set up fake Wi-Fi hotspots mimicking legitimate ones, then intercept cleartext HTTP data flowing through the app.

Recommendations for SBI Customers

• Avoid using the YONO app on public or shared networks.

• Enable multi-factor authentication (MFA) where possible.

• Monitor bank transactions regularly for any suspicious activity.

• Update the app as soon as SBI releases a patched version.

• Use VPNs to encrypt traffic if you must access banking apps on open networks.

Recommendations for Developers

• Always disable usesCleartextTraffic in production financial apps.

• Enforce HTTPS-only communication using Android Network Security Config.

• Implement SSL pinning to prevent MITM even on HTTPS.

• Conduct security reviews and static code analysis before release.

• Align app development with OWASP Mobile Top 10 standards.

Conclusion

The CVE-2025-45080 vulnerability in the YONO SBI app is a reminder that misconfigured apps can defeat even the best encryption protocols. While the flaw is relatively easy to fix, its consequences are severe — especially in financial applications where trust and confidentiality are paramount.

With the popularity of digital banking rising, such vulnerabilities underline the urgent need for secure-by-design app development practices.

 FAQs 

What is CVE-2025-45080?

CVE-2025-45080 is a security vulnerability in the YONO SBI Android app that allows unencrypted HTTP communication, making it susceptible to Man-in-the-Middle (MITM) attacks.

Which version of the YONO SBI app is affected?

Version 1.23.36 of the YONO SBI: Banking & Lifestyle app is affected by this vulnerability.

How does the vulnerability work?

The vulnerability stems from the app’s use of android:usesCleartextTraffic="true" in the manifest file, allowing unencrypted HTTP data transfer.

What is a Man-in-the-Middle (MITM) attack?

A MITM attack is when a hacker intercepts communication between a user and a server, allowing them to eavesdrop or alter data.

Can hackers steal bank credentials through this flaw?

Yes, attackers can potentially steal usernames, passwords, and transaction data using MITM techniques.

Is the attack remote or local?

The attack is local in nature, requiring the hacker to be on the same network as the victim (e.g., public Wi-Fi).

How was this vulnerability discovered?

Security researcher Ishwar Kumar identified and reported the vulnerability after analyzing the APK and app behavior.

What tools can be used to exploit this vulnerability?

Attackers can use tools like APKTool, Burp Suite, or Wireshark to analyze and intercept traffic.

How severe is the CVE-2025-45080 vulnerability?

It has a CVSS 3.1 score of 8.8, classifying it as a high-severity vulnerability.

Is the vulnerability exploitable without user interaction?

Yes, attackers can intercept data without needing user permissions or interaction if they’re on the same network.

Can attackers alter financial transactions through MITM?

Yes, in theory, attackers can tamper with transaction data before it reaches the banking server.

Why is using HTTP dangerous for banking apps?

HTTP lacks encryption, exposing sensitive data to interception and manipulation during transmission.

How can users protect themselves?

Avoid using the app on unsecured Wi-Fi and wait for a security patch from SBI.

Has SBI issued a patch for this vulnerability?

As of now, no official patch has been released. Users should monitor updates from SBI.

What platforms are affected?

The issue specifically affects the Android platform.

What does usesCleartextTraffic mean in Android?

It’s a setting that allows HTTP traffic, which is unencrypted and insecure.

Why is HTTPS preferred over HTTP in apps?

HTTPS encrypts data in transit, protecting against eavesdropping and tampering.

What risks does this pose to users?

Banking credentials, transaction history, and personal information can be stolen.

Can this be exploited through mobile data?

While possible, it’s far more common over public or unsecured Wi-Fi networks.

Is this a new type of vulnerability?

No, cleartext traffic vulnerabilities are well known, but they remain dangerous in financial apps.

What role do app developers play in prevention?

They must ensure secure coding practices, use HTTPS, and review manifest settings.

What is the Android security recommendation for cleartext traffic?

Android recommends disabling cleartext traffic by default, especially in financial or sensitive apps.

Can antivirus apps detect this vulnerability?

Most antivirus apps may not detect it as it’s a configuration flaw, not malware.

Is this vulnerability being actively exploited?

There are no public reports of exploitation yet, but the risk is considered high.

What is APKTool used for?

APKTool is a reverse engineering tool used to decompile Android apps and view their source.

What is Burp Suite used for in this context?

Burp Suite can intercept HTTP traffic, making it useful for testing MITM vulnerabilities.

What should security testers do with this info?

Test similar apps for insecure traffic settings and report them responsibly.

Can developers fix this easily?

Yes, by setting android:usesCleartextTraffic="false" and enforcing HTTPS connections.

Are iOS users affected by this issue?

No, this vulnerability is specific to the Android version of the YONO SBI app.

How can organizations avoid such issues?

By following OWASP mobile security guidelines and performing regular security audits.