Yoga guru Baba Ramdev's Patanjali had published a new online messaging app named Kimbho yesterday. The app was announced in a tweet by the company’s spokesperson SK Tijarawala. The so called 'desi' messaging app aims to take on the likes of WhatsApp and WeChat, however, it seems that the Kimbho app is nowhere as secure as it should be, and was instead, a total security nightmare. Going by the Tweets of renowned French security researcher Elliot Alderson (@fs0c131y), it is possible to break into the Kimbho app and send a customised security verification code between 0001 and 9999 to the phone number of your choice. Alderson later tweeted that the app is a complete rip-off of another application on the Apple’s App Store called ‘Bolo Messenger’ and that he is able to access messages of all users of the Kimbho app. The Kimbho app was taken down from the Play Store later during the day.
The app’s listing on the Play Store indicated that it was made by Patanjali Communications and by the developer Appdios, who also published the Bolo Messenger app in 2015. However, the Kimbho app’s website is still under construction and also prone to hacking, says @fs0c131y. There is also a Twitter account named Kimbho Chat App (@KimbhoApp) and its latest tweet reads, “We are facing extremely high traffic on Kimbho. We are in process of upgrading our servers and will be back shortly. Sorry for the inconvenience. Please stay tuned.”
Patanjali’s spokesperson Tijarawala also tweeted that the app is no longer available for download on any platform and that the company doesn’t take any responsibility if you install any duplicate apps. He also says that the app was published for one day on the Play Store as a trial run and under three hours, more than 1.5 lakh users have downloaded the app. “Technical work is in progress & #KIMBHO APP will be officially launched soon @yogrishiramdev”, He adds.
What we fail to understand is, why publish a half-baked app with tons of security flaws on both Android and iOS app stores for open download if it’s not ready? Most apps are tested in Alpha, Beta and/or limited user testing before being open to download for all, but it seems that the app’s publisher had some misplaced confidence in their app’s capabilities. Additionally, even if it was a one-day trial run, which it should not have been, does not mean that the app’s developers get leeway on copying and repackaging their previous app in such a defective manner.
After digging around, we found on LinkedIn that Aditi Kamal and Sumit Kumar are the founders of Appdios Inc. Going by their profiles, the two have worked with companies like Google and Apple. We also found Kamal’s Twitter account and before writing this article she tweeted, “We got 2+ lakhs downloads within 6 hours of app beta launch. Not many apps have got this overwhelming response. Our servers were not expecting this much traffic. We have paused our services and will be back very soon with formal app launch. Please be with us #Kimbho”
Kamal also posted some images of the app’s analytics from the Google Play Store, which are somewhat concerning given the vulnerabilities found in the app. As per the images, over 216,000 users installed the app in the brief amount of time it was available for download.