Firstpost
  • Home
  • Video Shows
    Vantage Firstpost America Firstpost Africa First Sports
  • World
    US News
  • Explainers
  • News
    India Opinion Cricket Tech Entertainment Sports Health Photostories
  • Asia Cup 2025
Apple Incorporated Modi ji Justin Trudeau Trending

Sections

  • Home
  • Live TV
  • Videos
  • Shows
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Health
  • Tech/Auto
  • Entertainment
  • Web Stories
  • Business
  • Impact Shorts

Shows

  • Vantage
  • Firstpost America
  • Firstpost Africa
  • First Sports
  • Fast and Factual
  • Between The Lines
  • Flashback
  • Live TV

Events

  • Raisina Dialogue
  • Independence Day
  • Champions Trophy
  • Delhi Elections 2025
  • Budget 2025
  • US Elections 2024
  • Firstpost Defence Summit
Trending:
  • Nepal protests
  • Nepal Protests Live
  • Vice-presidential elections
  • iPhone 17
  • IND vs PAK cricket
  • Israel-Hamas war
fp-logo
Twitter user highlights security flaws in UIDAI's mAadhaar app for Android devices, user data could be compromised
Whatsapp Facebook Twitter
Whatsapp Facebook Twitter
Apple Incorporated Modi ji Justin Trudeau Trending

Sections

  • Home
  • Live TV
  • Videos
  • Shows
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Health
  • Tech/Auto
  • Entertainment
  • Web Stories
  • Business
  • Impact Shorts

Shows

  • Vantage
  • Firstpost America
  • Firstpost Africa
  • First Sports
  • Fast and Factual
  • Between The Lines
  • Flashback
  • Live TV

Events

  • Raisina Dialogue
  • Independence Day
  • Champions Trophy
  • Delhi Elections 2025
  • Budget 2025
  • US Elections 2024
  • Firstpost Defence Summit
  • Home
  • Business
  • Twitter user highlights security flaws in UIDAI's mAadhaar app for Android devices, user data could be compromised

Twitter user highlights security flaws in UIDAI's mAadhaar app for Android devices, user data could be compromised

tech2 News Staff • January 24, 2018, 09:27:59 IST
Whatsapp Facebook Twitter

With this leaked database password, anyone with access to your phone can potentially steal your mAadhaar password and thus steal your identity.

Advertisement
Subscribe Join Us
Add as a preferred source on Google
Prefer
Firstpost
On
Google
Twitter user highlights security flaws in UIDAI's mAadhaar app for Android devices, user data could be compromised

A Twitter user going by the name Elliot Alderson has reported a potentially serious security flaw in UIDAI’s mAadhaar app for Android devices. The username would be familiar to Mr. Robot fans, but the name will also be familiar because Elliot Alderson is the same person who reported on the presence of a **backdoor in OnePlus software** . The backdoor, programmer speak for a method of bypassing regular authentication methods, would have let a random user access and misuse any affected OnePlus device.  

Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦‍♂️https://t.co/acjp6tUjqs

— Baptiste Robert (@fs0c131y) January 10, 2018

Coming back to mAadhaar, Alderson somehow managed to access the coding for the app itself. This, we’re given to understand, is possible using various techniques and isn’t in itself an issue. On analysing the code, he found several vulnerabilities. A more security conscious app developer would have gone to greater lengths to obfuscate the code and make it harder to unravel the core of the app. Alderson has confirmed that part of the code was obfuscated, but that didn’t stop Alderson — or anyone else for that matter — from extracting a database password from the code. Better yet, this database password is apparently common to all instances of the app. Information stored in a database, especially sensitive information, should be protected by a password and various other techniques. If you have the database password, you can compromise the database.  

mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.

— Aadhaar (@UIDAI) January 11, 2018
More from Business
Hyundai India’s Rs 27,870 crore IPO oversubscribed by 2.28X, largely driven by institutional investors Hyundai India’s Rs 27,870 crore IPO oversubscribed by 2.28X, largely driven by institutional investors How Indian fintech startups are driving Malaysia’s UPI-like digital payments revolution How Indian fintech startups are driving Malaysia’s UPI-like digital payments revolution

Replying to Alderson’s tweets, UIDAI has confirmed that the app creates a local database with innocuous data like user preferences. They add that since the app doesn’t ask for any biometric data, such data can’t be compromised. The revealed database password could unlock that local database. Scarily enough, Alderson points out that the revealed database password can be used to access the user-created account password, thereby giving access to the Aadhaar account of the user and all the data stored inside. Also, as per the documentation for the mAadhaar app, the app will store personal information and the user’s photo in a database on your phone. If stored, this data could be compromised.  

According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ... pic.twitter.com/x1TI9uXXTM

— Baptiste Robert (@fs0c131y) January 11, 2018

With this leaked database password, anyone with access to your phone can potentially steal your mAadhaar password — which you created when setting up the app — and thus steal your identity. [caption id=“attachment_4248619” align=“alignright” width=“380”] ![Representational image. Reuters](https://images.firstpost.com/wp-content/uploads/2017/12/AadhaarReuters.jpg) Representational image. Reuters[/caption] One can also potentially spoof the app into displaying the Aadhaar information of someone else. Given that Aadhaar details and the TOTP (Time-based One-Time Password) can be accessed via mAadhaar even when offline, there is potential for serious harm if the app is compromised. In fact, if you have the TOTP, you don’t need an authentication SMS for verifying something like, say, a bank transaction. On the same thread, another Twitter user going by the name Anand V claims to have sent an email to the UIDAI CEO in October last year, where he highlighted various vulnerabilities in the app. He received no response. He claims to have had to send an email to the CEO because UIDAI doesn’t yet have a usable bug-reporting infrastructure in place. Again, the all-important Aadhaar database itself isn’t vulnerable. The only thing that’s vulnerable is your identity, which is no less important. But then again, that information may have already been **sold away for Rs 500** to an untold number of people.  

Just so that non-tech people don't understand, this means
1. Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the "password" is known.
2. All the person needs is to get access to your phone.
3. Your phone gone, Your Aadhaar gone. https://t.co/sDxp9CfXUn

— V. Anand | வெ. ஆனந்த் (@iam_anandv) January 11, 2018

Impact Shorts

More Shorts
Tata Harrier EV vs Mahindra XEV 9e: Design and road presence compared

Tata Harrier EV vs Mahindra XEV 9e: Design and road presence compared

As Trump weaponises tariff, Fed sees a bigger worry: Not jobs, but rising prices in America

As Trump weaponises tariff, Fed sees a bigger worry: Not jobs, but rising prices in America

We will be updating the story with more developments as events unfold. Note: While we haven’t been able to independently verify the claims ourselves, and UIDAI hasn’t yet issued an official statement on the matter, UIDAI’s response to Alderson’s tweets suggests an implicit acknowledgement that a flaw exists in the mAadhaar app. However, the severity of the flaw cannot be accurately gauged at this time.

Tags
ThatsJustWrong Android Aadhaar UIDAI oneplus Mr Robot Aadhaar data breach Elliot Alderson mAadhaar mAadhaar data breach Aadhaar Special
End of Article
Latest News
Find us on YouTube
Subscribe
End of Article

Impact Shorts

Tata Harrier EV vs Mahindra XEV 9e: Design and road presence compared

Tata Harrier EV vs Mahindra XEV 9e: Design and road presence compared

The Tata Harrier EV and Mahindra XEV 9e are new electric SUVs in India. The Harrier EV has a modern, familiar design, while the XEV 9e features a bold, striking look. They cater to different preferences: the Harrier EV for subtle elegance and the XEV 9e for expressive ruggedness.

More Impact Shorts

Top Stories

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Who is CP Radhakrishnan, India's next vice-president?

Who is CP Radhakrishnan, India's next vice-president?

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched

Who is CP Radhakrishnan, India's next vice-president?

Who is CP Radhakrishnan, India's next vice-president?

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Israel informed US ahead of strikes on Hamas leaders in Doha, says White House

Top Shows

Vantage Firstpost America Firstpost Africa First Sports
Latest News About Firstpost
Most Searched Categories
  • Web Stories
  • World
  • India
  • Explainers
  • Opinion
  • Sports
  • Cricket
  • Tech/Auto
  • Entertainment
  • IPL 2025
NETWORK18 SITES
  • News18
  • Money Control
  • CNBC TV18
  • Forbes India
  • Advertise with us
  • Sitemap
Firstpost Logo

is on YouTube

Subscribe Now

Copyright @ 2024. Firstpost - All Rights Reserved

About Us Contact Us Privacy Policy Cookie Policy Terms Of Use
Home Video Shorts Live TV