A reported flaw in the mAadhaar Android app might allow someone with physical access to a user’s phone the ability to acquire their personal Aadhaar details. In a series of tweets French security researcher Elliot Alderson highlighted the issues that afflict the mAadhaar Android app including storing Aadhaar details on the user’s device and said details are encrypted in a flimsy manner.

“I quickly check your #android app on the #playstore and you have some security issues…It’s super easy to get the password of the local database for example.. The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123,” Alderson mentioned on Twitter.

Anand Venkatanarayanan, the editor of Kārana, a blog that reports on the Aadhaar, was scathing in his assessment of the flaw. “Any decent tech person can *get* the encrypted Mobile Aadhaar PIN because the ‘password’ is known,” he said in a series of tweets. “All the person needs is to get access to your phone. Your phone gone, your Aadhaar gone.”

Venkatnarayanan pointed out that the issue wasn’t even new as he reportedly pointed out these issues to the CEO of UIDAI AB Pandey in an email. “A $3B taxpayer funded project *does not* have a bug reporting policy for months,” he tweeted. “Their tech fixes are just empty boasts. Won’t stand scrutiny even by a decent on looker. The FIR is a legal “shut up” to cover their incompetence through Aadhaar act.”

mAadhaar’s glaring issues

Responding to Alderson the UIDAI tweeted that, “mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise.”

But Alderson’s in-depth dive into the app’s code suggests otherwise. It shows that the mAadhaar app stores a user’s eKYC data on the phone itself, this includes the Aadhaar Number, Name, address, photograph among others. An individual’s photograph is classified as ‘biometric information’ under section 2(g) of the Aadhaar Act, 2016.

According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:

– User_Id

– Aadhar_Id

– Name

– Dob

– Gender

– Address

– Photo

– … pic.twitter.com/x1TI9uXXTM — Elliot Alderson (@fs0c131y) January 11, 2018

Alderson released a proof-of-concept Aadhaar database password generator, which he claims generates the same password every single time. As a result this makes cracking said password relatively simple. Medianama was not able to test out this password generator.

Passwords are stored locally on a device or on the cloud through a process called hashing. Hashing is the act of converting passwords into unreadable strings of characters that should be designed to be impossible to convert back. A simple method of hashing can be achieved by using a random string of text that is added into a password to make it more secure. This random string is referred to as a ‘Password Salt’ by programmers, a common mistake that can compromise a password salt’s effectiveness is reusing the same one for all entries. The mAadhaar app uses a common password salt, “BeTtyBoTterHAdSoMeBiTTerButTeR-@” (Betty Botter has some bitter butter, a tongue twister, seriously).

As of now, the only saving grace for mAadhaar users is that there is no known way this vulnerability can be exploited remotely. Any theft of a user’s Aadhaar data will require physical access to the phone.

Previous Developments

The UIDAI said on Wednesday that people can use a Virtual ID to mask their Aadhaar number while sharing their information with third parties. Also announced was a limited KYC feature where the third parties will have access to only necessary Aadhaar details. But hidden in the fine print there was a catch, the Aadhaar-issuing body plans to split the third party authenticators (like telecom providers, banks etc) into two groups and the virtual ID and limited KYC will only be useful for one of them.

Wednesday’s move came following a January 4 report in the Tribune, that alleged the presence of a major security loophole in the Aadhaar database. A journalist from the paper was able to purchase unrestricted access to the database for as little as Rs 500. For the price, the journalist was made an Enrollment Agency Administrator for CSC SPV, apparently without any checks. Using the provided administrator login id, the journalist could log into the UIDAI portal and get unrestricted access.

The Aadhaar portal which was used to access this loophole has been taken offline since the day the report was published. The UIDAI also responded to the issue by restricting the access of about 5,000 officials to the Aadhaar portal.

“All the privileges given to designated officers for access have been immediately withdrawn,” an unnamed top government official told the Economic Times. UIDAI reportedly overhauled its system to enable access only by entering the biometrics of the person whose details were sought to be verified.