 "Twitter user highlights security flaws in UIDAI's mAadhaar app for Android devices, user data could be compromised")
A Twitter user going by the name Elliot Alderson has reported a potentially serious security flaw in UIDAI’s mAadhaar app for Android devices. The username would be familiar to Mr. Robot fans, but the name will also be familiar because Elliot Alderson is the same person who reported on the presence of a **backdoor in OnePlus software** . The backdoor, programmer speak for a method of bypassing regular authentication methods, would have let a random user access and misuse any affected OnePlus device.
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?
— Baptiste Robert (@fs0c131y) January 10, 2018
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️https://t.co/acjp6tUjqs
Coming back to mAadhaar, Alderson somehow managed to access the coding for the app itself. This, we’re given to understand, is possible using various techniques and isn’t in itself an issue. On analysing the code, he found several vulnerabilities. A more security conscious app developer would have gone to greater lengths to obfuscate the code and make it harder to unravel the core of the app. Alderson has confirmed that part of the code was obfuscated, but that didn’t stop Alderson — or anyone else for that matter — from extracting a database password from the code. Better yet, this database password is apparently common to all instances of the app. Information stored in a database, especially sensitive information, should be protected by a password and various other techniques. If you have the database password, you can compromise the database.
mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.
— Aadhaar (@UIDAI) January 11, 2018
Replying to Alderson’s tweets, UIDAI has confirmed that the app creates a local database with innocuous data like user preferences. They add that since the app doesn’t ask for any biometric data, such data can’t be compromised. The revealed database password could unlock that local database. Scarily enough, Alderson points out that the revealed database password can be used to access the user-created account password, thereby giving access to the Aadhaar account of the user and all the data stored inside. Also, as per the documentation for the mAadhaar app, the app will store personal information and the user’s photo in a database on your phone. If stored, this data could be compromised.
According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
— Baptiste Robert (@fs0c131y) January 11, 2018
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ... pic.twitter.com/x1TI9uXXTM
With this leaked database password, anyone with access to your phone can potentially steal your mAadhaar password — which you created when setting up the app — and thus steal your identity. [caption id=“attachment_4248619” align=“alignright” width=“380”]  Representational image. Reuters[/caption] One can also potentially spoof the app into displaying the Aadhaar information of someone else. Given that Aadhaar details and the TOTP (Time-based One-Time Password) can be accessed via mAadhaar even when offline, there is potential for serious harm if the app is compromised. In fact, if you have the TOTP, you don’t need an authentication SMS for verifying something like, say, a bank transaction. On the same thread, another Twitter user going by the name Anand V claims to have sent an email to the UIDAI CEO in October last year, where he highlighted various vulnerabilities in the app. He received no response. He claims to have had to send an email to the CEO because UIDAI doesn’t yet have a usable bug-reporting infrastructure in place. Again, the all-important Aadhaar database itself isn’t vulnerable. The only thing that’s vulnerable is your identity, which is no less important. But then again, that information may have already been **sold away for Rs 500** to an untold number of people.
Just so that non-tech people don't understand, this means
— V. Anand | வெ. ஆனந்த் (@iam_anandv) January 11, 2018
1. Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the "password" is known.
2. All the person needs is to get access to your phone.
3. Your phone gone, Your Aadhaar gone. https://t.co/sDxp9CfXUn
Impact Shorts
More ShortsWe will be updating the story with more developments as events unfold. Note: While we haven’t been able to independently verify the claims ourselves, and UIDAI hasn’t yet issued an official statement on the matter, UIDAI’s response to Alderson’s tweets suggests an implicit acknowledgement that a flaw exists in the mAadhaar app. However, the severity of the flaw cannot be accurately gauged at this time.
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
](https://images.firstpost.com/wp-content/uploads/2017/12/AadhaarReuters.jpg){kind=link}