| Title | PhonePe Private Limited PhonePe Android App 25.03.21.0 Information Disclosure |
|---|
| Description | The PhonePe Android app (v25.03.21.0) stores authentication tokens, KYC metadata, and personally identifiable information (PII) in plaintext within local SQLite databases. Attackers with root access can extract this data and use it to access user accounts via production APIs. This results in account takeover and identity theft.
|
|---|
| Source | ⚠️ https://github.com/honestcorrupt/-Insecure-Local-Storage-of-Sensitive-User-Data-in-PhonePe-Android-App-Unpatched- |
|---|
| User | honest_corrupt (UID 85229) |
|---|
| Submission | 05/13/2025 09:27 (11 months ago) |
|---|
| Moderation | 05/25/2025 00:21 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 310242 [PhonePe App 25.03.21.0 on Android SQLite Database databases cleartext storage in file] |
|---|
| Points | 18 |
|---|