-
"Sham Cash".. "Hayat Tahrir al-Sham" Imposes Financial System for Salaries and Tech Expert Reveals Vulnerabilities
-
The application's suspicious permissions, such as access to camera and biometric data, reflect risks to user privacy and information security
The interim government affiliated with Hayat Tahrir al-Sham in Syria has imposed the "Sham Cash" application on employees for receiving their salaries, amid warnings of security and technical risks that may threaten users' privacy and personal data.
The appointee managing Syria's Central Bank under the interim government formed by Abu Mohammed al-Jolani issued circular No. 15/856/S dated 30/12/2024, requiring all financial and banking institutions operating in Syria to create accounts on the application through the official website shamcash.com, with a two-day deadline to implement the decision.
Information expert Dilshad Othman revealed in a detailed technical analysis on his Facebook page that the application requests concerning permissions, including access to phone camera, users' biometric data, and background operation. It can also detect active applications on the phone, raising concerns about potential surveillance use.
The technical expert explained that the application file is 43.91 MB with a specific digital signature and uses Flutter technology in the user interface, noting that the application prevents the phone from entering sleep mode, meaning it continues working in the background even when not in use.
Othman pointed out that the application is connected to servers in Turkey's Hatay province through a specific IP address and uses Google's Firebase service to communicate with the company's server, warning of a security vulnerability in port 1433 for Microsoft SQL Server.
The mystery surrounding the application's ownership and management raised numerous questions, as the domain was registered in July 2023 with hidden registrant identity, and the website contains no information about the owning company or its address, limiting communication to Telegram platform and European phone numbers.
The application requires several permissions from users including: system notifications, camera use, fingerprints and biometrics, internet connection, network status access, and prevention of sleep mode.
The technical expert advised users not to install the application if they don't trust the Salvation Government's financial institutions, emphasizing that the main problem isn't technical but relates to attempts to impose certain institutions on citizens.
These developments come about a month after the "Military Operations Administration" led by Abu Mohammed al-Jolani took control of Damascus on December 8, 2024, and the flee of former Syrian regime head Bashar al-Assad, at a time when voices calling for implementing a federal system that ensures financial transparency and protects citizens' privacy and digital rights are rising.
Levant-Follow up
