The Syrian government’s recent decision to mandate the use of the Sham Cash (شام كاش) app for public sector salary payments has triggered widespread concerns about digital security, data privacy, and government transparency.
Initially launched in Idlib under the control of Hay’at Tahrir al-Sham, Sham Cash has now become a central tool for processing salaries, university fees, and bill payments in government-controlled areas. However, the app is only available for direct download via its website—not through official Android or iOS stores—raising red flags about its credibility and safety.
A forensic analysis conducted by SMEX reveals that the app suffers from serious technical and legal shortcomings. The identity of its developer remains unknown, and there is no clear legal jurisdiction or accountability framework. Although some reports suggest a Turkish software firm called NorthSoft is behind its development, no official confirmation or detailed corporate information is available.
The app collects sensitive user data, including full names, national ID numbers, banking details, and contact information—without offering a clear privacy policy or disclosing how data is stored, shared, or protected. While the app uses industry-standard AES encryption, SMEX found that the app’s server retains the decryption keys, meaning it can access all user data at any time.
Moreover, the app demands broad device permissions, such as access to the camera, biometric data, and network activity. These permissions—if exploited—could enable state-backed surveillance or expose users to malicious attacks. The app has also suffered from recurrent technical failures, including access issues during Eid al-Fitr, leading to public frustration.
SMEX rated Sham Cash 17 out of 22 on its risk scale—where 22 indicates the highest risk—and recommends against its use in its current form. The report urges Syrian authorities to cease requiring public employees to use the app until it is made secure, transparent, and accountable.
With no published terms that protect users’ rights, and vague disclaimers that allow the platform to suspend accounts or change terms unilaterally, Sham Cash poses a clear threat to digital rights in Syria. SMEX calls for greater transparency regarding the app’s ownership, legal framework, and data protection practices before it can be trusted with citizens’ financial and personal information.
This article was translated and edited by The Syrian Observer. The Syrian Observer has not verified the content of this story. Responsibility for the information and views set out in this article lies entirely with the author.
