A french security researcher has reportedly found a security flaw in the mAadhaar app which makes it easy for someone with physical access to any user’s phone to acquire their personal Aadhaar card details. In a series of Tweets, he explained the flaw and has pointed out the issues that afflict the mAadhaar Android app.
He further says that it is super easy to get the password of the local database since the mAadhaar is saving all the biometric settings in a local database which is protected with a password. And, to generate the password, they used a random number with 123456789 as seed and a hardcoded string db_password_123.
He also said that debug feature that is enabled in the app by default lets someone to repack the app with the logging activated and distribute it so all your Aadhaar data will be available on the sdcard so the attacker can easily upload the log file to his server.
Hi #Indian people! #Hackers are already at work. Afaik, I found the 1st #Aadhaar malware (a modified version of the official #Aadhaar #android app) on the web: https://t.co/VKuYdz94p5— Elliot Alderson (@fs0c131y) January 12, 2018
VT score: 2/62
cc @malwrhunterteam @virqdroid @LukasStefanko @JAMESWT_MHT pic.twitter.com/rr9O2ZnmAf
However, UIDAI was quick to respond to the user and in a response Tweet, it mentioned that “mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise.” He further clarified that the app code suggests that mAadhaar app stores a user’s eKYC data like name, Aadhaar Number, Name, address, photograph on the phone itself.
mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.— Aadhaar (@UIDAI) January 11, 2018
He also released a proof-of-concept Aadhaar database password generator which according to him generates the same password all the time which makes it relatively easier to crack the said password. However, the authenticity if the password generator is yet to be confirmed. The silver lining of the flaw is that it cannot be exploited remotely, instead it needs physical access.
There was a report early last week which said that a major security loophole in the Aadhaar database which made the unrestricted access to the database available just for Rs. 500, post this report,UIDAI issued restriction to about 5,000 officials to the Aadhaar portal.