Bhim App: Lucideus Tech is the team that ensures that Bhim is security-loophole free

The Bhim app is based on the Unified Payments Interface (UPI), the security for which is handled by a New Delhi-based cybersecurity company called Lucideus Tech.


The Bharat Interface for Money or the Bhim app was launched by Prime Minister Narendra Modi on 30 December 2016. It has already crossed over 3mn downloads and is the top rated app under the 'Top Free Apps' category on the Google Play Store. According to Niti Aayog CEO Amitabh Kant, the iOS variant of the Bhim app is expected to drop on the Apple store on 10 January.

The Bhim app is based on the Unified Payments Interface (UPI), the security for which is handled by a New Delhi-based cybersecurity company called Lucideus Tech. According to a report in The Economic Times, the cybersecurity company had around a dozen people working relentlessly for close to two months on the security of the Bhim app. The teams mandate was to ensure that all the security loopholes were plugged and the app was safe, before it went live. The app is developed by the National Payments Council of India (NPCI).

According to Saket Modi, the CEO of Lucideus Tech, around a dozen people were working exclusively on the Bhim app security. The company has in the past worked for organisations such as ICICI Bank, Standard Chartered, IndiGo and KFC. He added that Lucideus was considered to work on the security of the Bhim app because it has also worked on the cybersecurity assessment for the UPI common library, which is embedded in all the net banking apps offering UPI.

Three levels of security

The Bhim app has three levels of security going in. You come across the first level when you open the app – that is when it gets bound to the device ID and your phone number. You are quickly prompted to enter a PIN number to unlock and open the app.

The second level of security is when the authentication takes place between the bank and the users mobile number registered with the bank. That is basically the one-time password.

The third-level of security is the UPI PIN which is set by you and which will be required for every transaction you do through the Bhim app. The authorisation of the transaction happens via the UPI servers.

Other security measures

The Lucideus team also simulated multiple scenarios where they tried to breach the app. For instance, getting a call while you are in the middle of a transaction, and handing the phone over to another person. Post the call it will not be easy for the other person to manipulate the transation, as the UPI PIN needs to be re-entered after disconnecting the call.

Even if someone manages to duplicate your SIM or steals your phone, doing transactions wull not be possible without the UPI PIN said Lucideus' Modi. He acknowledges that although they will try to create multiple scenarios to make the security robust, nothing can be 100 per cent secure. "But what can be done is to ensure that all known controls are tested for and to have an incident response strategy ready in case of a breach," said Modi.

According to Modi, Bhim could turn out to be more convenient than mobile wallets because it is superior from a technology standpoint and easier to use as compared to mobile wallets. The need to have a third-party wallet is bypassed as you are able to transact directly using your bank account details without any need to fill your digital wallet with money.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.