A France-based hacker going by the pseudonym, Elliot Anderson, has reported a potentially massive security flaw in UIDAI's mAadhaar app that could allow malicious entities to steal a user's Aadhaar data and by extension, their identity.

In a series of tweets, Anderson detailed the flaws of the mAadhaar app, starting with how the app stores information in a local database on the user's phone, which by itself is not a problem because that is how most apps work on Android.

<

On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.

Which was found to be the exact same code posted by a user on stack overflow as part of their query:

Anderson then suggested removing the developer endpoint from the release application.

When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:

Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.

Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:

Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights: