Maadhaar Security Flaw Makes Stealing Aadhaar Data Easier

The researcher named Elliot Alderson took to Twitter to explain the security flaw in the Aadhaar app. He pointed out the issues that would cause security issues in the Android app. He writes in his tweet to UIDAI that it is super easy to get the password of the local database of Aadhaar.

I quickly check your #android app on the #playstore and you have some security issues…It’s super easy to get the password of the local database for example…🤦‍♂️https://t.co/acjp6tUjqs — Baptiste Robert (@fs0c131y) January 10, 2018 However, UIDAI in a response Tweet mentioned that “mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise.” To explain the issue, the mAadhaar app saves all the biometric settings in a local database which is protected with a password and, to generate the password, UIDAI uses a random number with 123456789 as seed and a hardcoded string db_password_123 which makes it easy for anyone to crack it.

As said in this tweet, you stored the hash of the user password in the database. As the db password is identical for everybody it’s easy for an attacker to get it an so compromised his account.Can you consider this and fix that? Regards,https://t.co/vsidqAyqis — Baptiste Robert (@fs0c131y) January 11, 2018 He, in a later tweet, explained that debug feature that is enabled in the app by default lets someone repack the app with the logging activated and distribute it. So, all the Aadhaar data will be available to the hacker and the attacker can easily upload the log file to his server. He also mentioned a hacker is already stealing the data. https://twitter.com/fs0c131y/status/951965819801567232 This is not the first time when someone has raised a question about Aadhaar’s privacy. Earlier, there was a report last week that a major security loophole in the Aadhaar database made the unrestricted access to the database and Aadhaar data is available just for Rs. 500. UIDAI, however, issued a restriction to some official to the Aadhaar portal. The authority will also release some new Aadhaar security features in March this year.