NPCI Guidelines
The NPCI UPI Framework places strong emphasis on mobile application security, as UPI transactions are predominantly executed through mobile devices and involve real-time financial movement. Mobile applications act as the primary interface between users and the UPI ecosystem, making them a critical attack surface for threats such as application tampering, credential compromise, malware, and transaction manipulation.
All UPI participant entities are required to comply with the NPCI UPI security framework to ensure the confidentiality, integrity, and authenticity of transactions and customer data. The framework mandates the implementation of robust security controls, including secure application design, runtime protection, continuous monitoring, and fraud prevention mechanisms. Adherence to these requirements is mandatory to maintain trust in the UPI ecosystem, reduce fraud risk, and ensure uninterrupted payment services. Any deviation may result in compliance observations, operational restrictions, or regulatory action by NPCI.
| Serial No. | NPCI Guidelines | Checks present with Bugsmirror MASST |
|---|---|---|
| 1 | Not Allowing Rooted/Jailbroken Devices | Yes |
| 2 | Disallow Developer mode (debugging option) enabled devices | Yes |
| 3 | Ensure App Integrity checks over a trust validation by implementing: a) Anti reverse engineering b) Anti-debugging controls Runtime Checks with Nonce validation Checks should be updated with every release | Yes |
| 4 | Ensure OS (operating system) integrity checks – eg. Play Integrity API (Google integrity check for Android) | Yes, but specifically play integrity is not used(by using play integrity or a similar level of check certain devices do not satisfy like CTS,app attestation and older versions of Android: 10,11,12) |
| 5 | Not Allowing Android Emulators | Yes |
| 6 | Ensure comprehensive security testing process before release of new versions of the App | Yes, by CodeLock, RunLock, APILock(Automated) & ThreatLock(Manual testing) |
| 7 | Enable APK locking mechanism to prevent unauthorized re-distribution and tampering of UPI app | Yes |
| 8 | Implement SSL pinning to prevent Man in the Middle (MITM) attack | Yes, protection through other checks |
| 9 | Do not allow any application over UPI application to prevent screen overlay | Yes |
| NPCI/2020-21/IS/001 Date of Issue- 28th April 2020 Run-time Application Self Protection | ||
| 1 | Application code and data integrity protection at runtime | Yes |
| 2 | Debugging prevention which is used to discover critical flaws and vulnerabilities that hackers can exploit | Yes |
| 3 | Root detection and root cloaking detection | Yes |
| 4 | Code obfuscation and encrypting cryptographic keys required for communication | Yes |
| 5 | Responding to runtime attacks with customizable actions like replacing tampered code with original app code, slowing or degrading app performance, or terminating the mobile app. | Yes, by terminating the app and/or showing the dialog |
| 6 | Protections against OWASP Top 10 vulnerabilities | Yes, covers/insures OWASP- MASVS guidelines |