Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?
— Elliot Alderson (@fs0c131y) January 10, 2018
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️https://t.co/acjp6tUjqs
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦♂️ pic.twitter.com/Ty7cPmOjAb
— Elliot Alderson (@fs0c131y) January 10, 2018
Did they copy paste this https://t.co/5KKSysotQO?
— Elliot Alderson (@fs0c131y) January 10, 2018
It can be good also to remove the "developer" endpoint from the release apk... pic.twitter.com/3kNwIJUWRO
— Elliot Alderson (@fs0c131y) January 10, 2018
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.
— Elliot Alderson (@fs0c131y) January 11, 2018
I published a small POC here: https://t.co/m2LcIXVYu8
If you start the application multiple times you will see that the generated password are always the same pic.twitter.com/U5TRTHiWen
Storing data in a local database is a common practise in the #Android world.
— Elliot Alderson (@fs0c131y) January 11, 2018
In the #Aadhaar #android app they store:
- user password data (hash)
- notification
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration pic.twitter.com/cCfaAKFVkB
According to the official documentation, https://t.co/fZz5p2cic2, EKYC Profile Data contains the following data:
— Elliot Alderson (@fs0c131y) January 11, 2018
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ... pic.twitter.com/x1TI9uXXTM
Password salt used by the #Aadhaar #android @-BeTtyBoTterHAdSoMeBiTTerButTeR-@
— Elliot Alderson (@fs0c131y) January 10, 2018
Do I have to cry or laugh 😕?
cc @unix_root @TheHackersNews @UIDAI #BenefitsOfAadhaar pic.twitter.com/qwEkzwkcyQ
Hi @KhoslaLabs, @UIDAI 👋! Let me show you the power of git.
— Elliot Alderson (@fs0c131y) January 11, 2018
If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: https://t.co/JNWD63dUe4
Because he is curious, he will click on the "SDK For Android" and the "Sample Application" pic.twitter.com/HKMpquY8yo
But oops! You removed the sample application (apk file) and the library (jar file) from the repo. I guess you want to discuss before giving him the info pic.twitter.com/abeQz8bi1y
— Elliot Alderson (@fs0c131y) January 11, 2018
But hey come on! This is a GIT repo, I just have to checkout on the correct commit to get the latest library and APK pic.twitter.com/hqUsJq1jQu
— Elliot Alderson (@fs0c131y) January 11, 2018
You handle the data of the all #India population and you don't even know how git is working?!
— Elliot Alderson (@fs0c131y) January 11, 2018