French security researcher points out flaws in mAadhaar app, UIDAI denies data at risk

Monday January 15, 2018 , 3 min Read

The mAadhaar Android app is said to be storing biometric data and eKYC profiles on a local database on users’ phones that can be easily hacked into.

Aadhaar has been mired in multiple security concerns of late. While the government-backed Unique Identification Authority of India (UIDAI) continues its defence of Aadhaar, claiming it to be safe and secure, a French security researcher recently discovered that the mAadhaar Android app could be breached easily, thereby compromising valuable citizen data.

Anyone with basic programming knowledge could get access to the biometric data, and eKYC information stored in mAadhaar, a researcher who goes by the alias of Eliot Alderson (@fs0c131y) explained in a series of tweets.

He stated that mAadhaar uses a local database on users’ mobile phones to store biometrics, KYC profiles, age, phone number, address, photograph and other data.

Hi #Aadhaar ?! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...?‍♂️https://t.co/acjp6tUjqs— Elliot Alderson (@fs0c131y) January 10, 2018

“The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password, they used a random number with 123456789 as seed and a hardcoded string db_password_123,” he wrote.

While storing data is quite common in the Android universe, in this case, mAadhaar retains all information on the mobile device. Thus, anyone with access to a users’ mobile phone can view/retrieve/steal the supposedly confidential Aadhaar information, because the database password, which is common for all users who have configured mAadhaar on their phones, can be used to access the user-generated account password to hack into the database. Anyone with some knowledge of tech can do that.

UIDAI, of course, has denied possibilities of Aadhaar data being stolen. It wrote on its official Twitter channel, “mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So, question of biometrics being compromised does not arise.”

mAadhaar uses a local db to store the user preferences on the user's device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So question of biometrics being compromised does not arise.
— Aadhaar (@UIDAI) January 11, 2018

Alderson, however, responded: “you stored the hash of the user password in the database. As the db password is identical for everybody it's easy for an attacker to get it and so compromised his account.” He even urged the UIDAI to “fix” the issue.

Some tech professionals have also pointed out that the Aadhaar app has several bugs. The UIDAI, however, doesn’t allow reporting of the issues. mAadhaar has one million downloads on Google Play Store so far. It has an average rating of 3.4, which may not be considered very good.

Commenting on the mAadhaar issue, Ankush Johar, Director of Infosec Ventures, an infrastructure security solutions provider, said: “Although the exploitability of this issue is pretty low, nonetheless, information as critical as Biometrics is something that should not be exposed to even the slightest risk. If, by any chance, the hackers are able to gain the biometric data as well, then it will catastrophic.”

Unique Identification Authority of India