The Aadhaar card security concerns don’t seem to end. Now, a French security researcher has reportedly found a security flaw in the mAadhaar app. As per his report, the flaw makes it easier for someone with physical access to any user’s phone to acquire their Aadhaar card details.
The researcher named Elliot Alderson took to Twitter to explain the security flaw in the Aadhaar app. He pointed out the issues that would cause security issues in the Android app. He writes in his tweet to UIDAI that it is super easy to get the password of the local database of Aadhaar.
Hi #Aadhaar ?! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues…It's super easy to get the password of the local database for example…?♂️https://t.co/acjp6tUjqs
— Elliot Alderson (@fs0c131y) January 10, 2018
However, UIDAI in a response Tweet mentioned that “mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise.”
To explain the issue, the mAadhaar app saves all the biometric settings in a local database which is protected with a password and, to generate the password, UIDAI uses a random number with 123456789 as seed and a hardcoded string db_password_123 which makes it easy for anyone to crack it.
Hi @UIDAI,
As said in this tweet, you stored the hash of the user password in the database. As the db password is identical for everybody it's easy for an attacker to get it an so compromised his account.
Can you consider this and fix that?Regards,https://t.co/vsidqAyqis
— Elliot Alderson (@fs0c131y) January 11, 2018
He, in a later tweet, explained that debug feature that is enabled in the app by default lets someone repack the app with the logging activated and distribute it. So, all the Aadhaar data will be available to the hacker and the attacker can easily upload the log file to his server. He also mentioned a hacker is already stealing the data.
Hi #Indian people! #Hackers are already at work. Afaik, I found the 1st #Aadhaar malware (a modified version of the official #Aadhaar #android app) on the web: https://t.co/VKuYdz94p5
VT score: 2/62
cc @malwrhunterteam @virqdroid @LukasStefanko @JAMESWT_MHT pic.twitter.com/rr9O2ZnmAf
— Elliot Alderson (@fs0c131y) January 12, 2018
This is not the first time when someone has raised a question about Aadhaar’s privacy. Earlier, there was a report last week that a major security loophole in the Aadhaar database made the unrestricted access to the database and Aadhaar data is available just for Rs. 500. UIDAI, however, issued a restriction to some official to the Aadhaar portal. The authority will also release some new Aadhaar security features in March this year.
