The username would be familiar to Mr. Robot fans, but the name will also be familiar because Elliot Alderson is the same person who reported on the presence of a backdoor in OnePlus software. The backdoor, programmer speak for a method of bypassing regular authentication methods, would have let a random user access and misuse any affected OnePlus device.
— Elliot Alderson (@fs0c131y) January 10, 2018
Coming back to mAadhaar, Alderson somehow managed to access the coding for the app itself. This, we’re given to understand, is possible using various techniques and isn’t in itself an issue. On analysing the code, he found several vulnerabilities.
A more security conscious app developer would have gone to greater lengths to obfuscate the code and make it harder to unravel the core of the app. Alderson has confirmed that part of the code was obfuscated, but that didn’t stop Alderson — or anyone else for that matter — from extracting a database password from the code. Better yet, this database password is apparently common to all instances of the app.
Information stored in a database, especially sensitive information, should be protected by a password and various other techniques. If you have the database password, you can compromise the database.
mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.
— Aadhaar (@UIDAI) January 11, 2018
Replying to Alderson’s tweets, UIDAI has confirmed that the app creates a local database with innocuous data like user preferences. They add that since the app doesn’t ask for any biometric data, such data can’t be compromised. The revealed database password could unlock that local database.
Scarily enough, Alderson points out that the revealed database password can be used to access the user-created account password, thereby giving access to the Aadhaar account of the user and all the data stored inside. Also, as per the documentation for the mAadhaar app, the app will store personal information and the user’s photo in a database on your phone. If stored, this data could be compromised.
According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
- ... pic.twitter.com/x1TI9uXXTM
— Elliot Alderson (@fs0c131y) January 11, 2018
With this leaked database password, anyone with access to your phone can potentially steal your mAadhaar password — which you created when setting up the app — and thus steal your identity.
One can also potentially spoof the app into displaying the Aadhaar information of someone else. Given that Aadhaar details and the TOTP (Time-based One-Time Password) can be accessed via mAadhaar even when offline, there is potential for serious harm if the app is compromised. In fact, if you have the TOTP, you don't need an authentication SMS for verifying something like, say, a bank transaction.
On the same thread, another Twitter user going by the name Anand V claims to have sent an email to the UIDAI CEO in October last year, where he highlighted various vulnerabilities in the app. He received no response. He claims to have had to send an email to the CEO because UIDAI doesn’t yet have a usable bug-reporting infrastructure in place.
Again, the all-important Aadhaar database itself isn’t vulnerable. The only thing that’s vulnerable is your identity, which is no less important. But then again, that information may have already been sold away for Rs 500 to an untold number of people.
Just so that non-tech people don't understand, this means
1. Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the "password" is known.
2. All the person needs is to get access to your phone.
3. Your phone gone, Your Aadhaar gone. https://t.co/sDxp9CfXUn
— Anand V (@iam_anandv) January 11, 2018
We will be updating the story with more developments as events unfold.
Note: While we haven’t been able to independently verify the claims ourselves, and UIDAI hasn’t yet issued an official statement on the matter, UIDAI’s response to Alderson’s tweets suggests an implicit acknowledgement that a flaw exists in the mAadhaar app. However, the severity of the flaw cannot be accurately gauged at this time.