After an investigation by a leading English news daily in India discovered how Aadhaar details of the entire country were being sold at Rs 500, a French security researcher found yet another massive loophole that allows anyone with basic programming knowledge to break into the mAadhaar Android app and steal user data.
The French-researcher alias Eliot Alderson who goes by the handle @fs0c131y on Twitter revealed in a thread of Tweets how the password to the local database which the mAadhaar app uses to store sensitive information like your biometric preferences, KYC profile data, and user passwords, can be easily acquired. Essentially, if someone has access to your phone, your Mobile Aadhaar PIN can be compromised with ease.
Another day, another security breach
We reached out to the researcher who said that the mAadhaar app uses a local database on the phone to store information like your password, app preferences and the likes. It’s a common practice by developers to do so. That local database is protected by a password which is randomly generated. However, @fs0c131y found that the way to generate this password randomly is poorly written.
The #Aadhaar#android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123♂️ pic.twitter.com/Ty7cPmOjAb — Elliot Alderson (@fs0c131y) January 10, 2018
Essentially, the password is generated using a random number with the seed as “123456789” and a hardcoded string “db_password_123” which remains the same for every phone. Using this, anyone with access to your phone can break into the app and get your user password and basically, get access to all your demographic and biometric details.
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar#android#app.
I published a small POC here: https://t.co/m2LcIXVYu8
If you start the application multiple times you will see that the generated password are always the same pic.twitter.com/U5TRTHiWen — Elliot Alderson (@fs0c131y) January 11, 2018
The researcher even made a proof-of-concept on Github to demonstrate the flaw. He made an application with the same code so that if you run it multiple times, it will give you the same password over and over again instead of the randomised password the app is supposed to generate. You read more about it here.
Storing data in a local database is a common practise in the #Android world.
In the #Aadhaar#android app they store:
- user password data (hash)
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration pic.twitter.com/cCfaAKFVkB — Elliot Alderson (@fs0c131y) January 11, 2018
The mAadhaar app, @fs0c131y found, stores your photograph on the local database, which is a biometric information by itself, apart from your eKYC profile data, and more. Furthermore, the eKYC profile data stores the user ID, the Aadhaar ID, your name, date of birth, gender, address and your photograph.
The researcher uses an alias Elias Alderson, which is the name of the protagonist of Mr. Robot, a popular TV series about cyber security and hacking. He had earlier found a backdoor on OnePlus devices which granted hackers with root access and other sensitive information with ease.
The researcher even shared the information with UIDAI that supervises the Aadhaar project in the country. However, the last time a reporter tried to inform the authority about a breach in the Aadhaar system, the regulatory body filed an FIR against her. It remains to be seen how UIDAI handles the new revelation and more importantly, what steps the authority takes to remedy the issue and make the app secure.