A France-based hacker going by the pseudonym, Elliot Anderson, has reported a potentially massive security flaw in UIDAI's mAadhaar app that could allow malicious entities to steal a user's Aadhaar data and by extension, their identity.
In a series of tweets, Anderson detailed the flaws of the mAadhaar app, starting with how the app stores information in a local database on the user's phone, which by itself is not a problem because that is how most apps work on Android.
On deeper inspection, Anderson found that the app saves the users' biometric data on the local database, whose password is generated using a random number with a hardcoded string with 123456789 as the seed.
Which was found to be the exact same code posted by a user on stack overflow as part of their query:
Anderson then suggested removing the developer endpoint from the release application.
When the Aadhaar autopsy started to pick up steam on social media, Anderson was hit with a string of questions about the manner in which the password is generated. To that, Anderson posted a POC on github detailing the process:
Anderson looked into the official documentation and learnt that the app stores the user's ID, Aadhaar number, name, date of birth, address, gender and photo.
Eventually, after a lot of digging, Anderson found the password salt used by the Aadhaar app, which was embarrasing, to say the least:
Anderson decided to contact Khosla Labs, the company that made the Aadhaar app, to show them some of their glaring mistakes and oversights: