Twitter user chips at mAadhaar, uncovers security holes

Last Updated 20 September 2018, 10:38 IST

A France-based hacker going by the pseudonym, Elliot Anderson, has reported a potentially massive security flaw in UIDAI's mAadhaar app that could allow malicious entities to steal a user's Aadhaar data and by extension, their identity.

In a series of tweets, Anderson detailed the flaws of the mAadhaar app, starting with how the app stores information in a local database on the user's phone, which by itself is not a problem because that is how most apps work on Android.

Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦‍♂️https://t.co/acjp6tUjqs
— Elliot Alderson (@fs0c131y) January 10, 2018

On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.

The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦‍♂️ pic.twitter.com/Ty7cPmOjAb
— Elliot Alderson (@fs0c131y) January 10, 2018

Which was found to be the exact same code posted by a user on stack overflow as part of their query:

Did they copy paste this https://t.co/5KKSysotQO?
— Elliot Alderson (@fs0c131y) January 10, 2018

Anderson then suggested removing the developer endpoint from the release application.

It can be good also to remove the "developer" endpoint from the release apk... pic.twitter.com/3kNwIJUWRO
— Elliot Alderson (@fs0c131y) January 10, 2018

When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:

A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.

I published a small POC here: https://t.co/m2LcIXVYu8

If you start the application multiple times you will see that the generated password are always the same pic.twitter.com/U5TRTHiWen
— Elliot Alderson (@fs0c131y) January 11, 2018

Storing data in a local database is a common practise in the #Android world.

In the #Aadhaar #android app they store:
- user password data (hash)
- notification
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration pic.twitter.com/cCfaAKFVkB
— Elliot Alderson (@fs0c131y) January 11, 2018

Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.

According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ... pic.twitter.com/x1TI9uXXTM
— Elliot Alderson (@fs0c131y) January 11, 2018

Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:

Password salt used by the #Aadhaar #android @-BeTtyBoTterHAdSoMeBiTTerButTeR-@
Do I have to cry or laugh 😕?

cc @unix_root @TheHackersNews @UIDAI #BenefitsOfAadhaar pic.twitter.com/qwEkzwkcyQ
— Elliot Alderson (@fs0c131y) January 10, 2018

Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights:

Hi @KhoslaLabs, @UIDAI 👋! Let me show you the power of git.

If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: https://t.co/JNWD63dUe4

Because he is curious, he will click on the "SDK For Android" and the "Sample Application" pic.twitter.com/HKMpquY8yo
— Elliot Alderson (@fs0c131y) January 11, 2018

But oops! You removed the sample application (apk file) and the library (jar file) from the repo. I guess you want to discuss before giving him the info pic.twitter.com/abeQz8bi1y
— Elliot Alderson (@fs0c131y) January 11, 2018

But hey come on! This is a GIT repo, I just have to checkout on the correct commit to get the latest library and APK pic.twitter.com/hqUsJq1jQu
— Elliot Alderson (@fs0c131y) January 11, 2018

You handle the data of the all #India population and you don't even know how git is working?!
— Elliot Alderson (@fs0c131y) January 11, 2018

(Published 12 January 2018, 08:10 IST)

Privacy Aadhaar

Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks

Twitter user chips at mAadhaar, uncovers security holes

Follow us on