Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?
— Elliot Alderson (@fs0c131y) January 10, 2018
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️https://t.co/acjp6tUjqs
<
On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦♂️ pic.twitter.com/Ty7cPmOjAb
— Elliot Alderson (@fs0c131y) January 10, 2018
Which was found to be the exact same code posted by a user on stack overflow as part of their query:
Did they copy paste this https://t.co/5KKSysotQO?
— Elliot Alderson (@fs0c131y) January 10, 2018
Anderson then suggested removing the developer endpoint from the release application.
It can be good also to remove the "developer" endpoint from the release apk... pic.twitter.com/3kNwIJUWRO
— Elliot Alderson (@fs0c131y) January 10, 2018
When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.
— Elliot Alderson (@fs0c131y) January 11, 2018
I published a small POC here: https://t.co/m2LcIXVYu8
If you start the application multiple times you will see that the generated password are always the same pic.twitter.com/U5TRTHiWen
Storing data in a local database is a common practise in the #Android world.
— Elliot Alderson (@fs0c131y) January 11, 2018
In the #Aadhaar #android app they store:
- user password data (hash)
- notification
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration pic.twitter.com/cCfaAKFVkB
Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.
According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
— Elliot Alderson (@fs0c131y) January 11, 2018
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ... pic.twitter.com/x1TI9uXXTM
Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:
Password salt used by the #Aadhaar #android @-BeTtyBoTterHAdSoMeBiTTerButTeR-@
— Elliot Alderson (@fs0c131y) January 10, 2018
Do I have to cry or laugh 😕?
cc @unix_root @TheHackersNews @UIDAI #BenefitsOfAadhaar pic.twitter.com/qwEkzwkcyQ
Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights:
Hi @KhoslaLabs, @UIDAI 👋! Let me show you the power of git.
— Elliot Alderson (@fs0c131y) January 11, 2018
If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: https://t.co/JNWD63dUe4
Because he is curious, he will click on the "SDK For Android" and the "Sample Application" pic.twitter.com/HKMpquY8yo
But oops! You removed the sample application (apk file) and the library (jar file) from the repo. I guess you want to discuss before giving him the info pic.twitter.com/abeQz8bi1y
— Elliot Alderson (@fs0c131y) January 11, 2018
But hey come on! This is a GIT repo, I just have to checkout on the correct commit to get the latest library and APK pic.twitter.com/hqUsJq1jQu
— Elliot Alderson (@fs0c131y) January 11, 2018
You handle the data of the all #India population and you don't even know how git is working?!
— Elliot Alderson (@fs0c131y) January 11, 2018
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks