Ever since the mandatory Aadhaar linking practice came into existence, several reports have started highlighting the dangerous consequences of the same. We say dangerous as the Aadhaar details will be linked to your mobile number and bank account, and with the leak of one of these details, all your sensitive information will be exposed to others. In the meantime, a security flaw in the mAadhaar app has been discovered by a French security researcher.
According to the tweets posted by Elliot Alderson, the mAadhaar app has a security flaw that will make it easy for anyone having physical access to any user's phone to get the Aadhaar card details of that person. He has explained this flaw in a series of tweets and has raised the issues those have plagued the mAadhaar app available for Android devices.
The researcher says that it is very easy to get the password of the local database as the mAadhaar app saves all the biometric settings in a local database that is protected with just a password. To generate the password, they tried a random number 1233456789 as the seed and db_password_123 as the hardcoded string.
He goes on stating that the debug feature enabled in the app by default allows anyone repack the mAadhaar application with the logging activated and send it so that all the Aadhaar data will be saved on the SD card in the device. From there, the attackers can upload the log file to their servers. He also states that it is not a good idea to keep the debug feature in the Android app that UIDAI released a few months back.
UIDAI immediately responded to him stating that mAadhaar uses a local database to store the user preferences on the user's device itself. It claims that the app does not capture, store or take biometric inputs. And, that there is no compromise being done in protecting the user data.
In response, Alderson has clarified stating that app code of mAadhaar suggests that it stores eKYC data such as name, Aadhaar number, address and photograph on the user's device. To prove his claims, he has also released a proof-of-concept Aadhaar database password generation and states that it generates the same password every time, making it easier for attackers to crack the password. But the authenticity of the password generator remains unconfirmed for now. Notably, this security flaw will not work remotely as it needs the physical access to the user's device.
Back in the last week, we came across a report alleging that the Aadhaar database has a flaw that will let anyone access the database for just Rs. 500. As an aftermath, UIDAI came up with a restricting letting only 5,000 officials to access the Aadhaar portal.