mAadhaar app security flaw makes it easy to steal Aadhaar data

A french security researcher has reportedly found a security flaw in the mAadhaar app which makes it easy for someone with physical access to any user’s phone to acquire their personal Aadhaar card details. In a series of Tweets, he explained the flaw and has pointed out the issues that afflict the mAadhaar Android app.

He further says that it is super easy to get the password of the local database since the mAadhaar is saving all the biometric settings in a local database which is protected with a password. And, to generate the password, they used a random number with 123456789 as seed and a hardcoded string db_password_123.

He also said that debug feature that is enabled in the app by default lets someone to repack the app with the logging activated and distribute it so all your Aadhaar data will be available on the sdcard so the attacker can easily upload the log file to his server.

Hi #Indian people! #Hackers are already at work. Afaik, I found the 1st #Aadhaar malware (a modified version of the official #Aadhaar #android app) on the web: https://t.co/VKuYdz94p5

VT score: 2/62

cc @malwrhunterteam @virqdroid @LukasStefanko @JAMESWT_MHT pic.twitter.com/rr9O2ZnmAf

— Elliot Alderson (@fs0c131y)
January 12, 2018

1. Hi @UIDAI and @KhoslaLabs :wave:! Let me show you why it’s not a good idea to keep a “debug feature” in the #Aadhaar #Android app you released

— Elliot Alderson (@fs0c131y)
January 12, 2018

However, UIDAI was quick to respond to the user and in a response Tweet, it mentioned that “mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise.” He further clarified that the app code suggests that mAadhaar app stores a user’s eKYC data like name, Aadhaar Number, Name, address, photograph on the phone itself.

mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.

— Aadhaar (@UIDAI)
January 11, 2018

He also released a proof-of-concept Aadhaar database password generator which according to him generates the same password all the time which makes it relatively easier to crack the said password. However, the authenticity if the password generator is yet to be confirmed. The silver lining of the flaw is that it cannot be exploited remotely, instead it needs physical access.

There was a report early last week which said that a major security loophole in the Aadhaar database which made the unrestricted access to the database available just for Rs. 500, post this report,UIDAI issued restriction to about 5,000 officials to the Aadhaar portal.

The Mobile Blog稿源:The Mobile Blog (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合技术 » mAadhaar app security flaw makes it easy to steal Aadhaar data

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录