Digital lending security in India isn’t just “don’t get hacked.” RBI’s Digital Lending Directions reshape how apps must handle data access, consent, device trust, and incident readiness—and the engineering implications are very real.
Here are the key points (high level):
What to build for (the practical checklist)
1) Data & Consent (the “data perimeter” rule)
- Collect only need-based data
- Avoid accessing sensitive phone resources (contacts, call logs, files/media, telephony)
- Treat consent as an audit-grade event (purpose, timestamp, policy version, retention, revocation)
2) Borrower transparency reduces fraud
- Show KFS before commitment
- Prefer server-driven, tamper-evident KFS rendering
- Protect sensitive screens (screen capture / overlay risk)
3) Device trust & abuse resistance
- Move from outdated approaches to Play Integrity with backend verification
- Use risk-based policies (allow / step-up / limited mode / block)
4) Secrets & local storage
- Avoid deprecated crypto approaches
- Use Keystore-backed encryption and a clear key strategy (rotation, scope)
5) Network + auth
- Disable cleartext traffic, enforce modern TLS
- Use certificate pinning only where justified, with rotation planned
- Step-up auth for high-risk actions (disbursal, mandate, bank change)
6) Operations & incident readiness
- Centralize security logs and anomaly signals
- Have runbooks + on-call path for incident declaration
7) Verification
- Use a verifiable baseline (e.g., MASVS) and CI checks (secret scanning, dependency scanning)
Read the full, detailed checklist on Medium
If you want the complete production-ready checklist + implementation patterns + code examples:
Top comments (0)