Hi #Aadhaar
! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...
http://play.google.com/store/apps/details?id=in.gov.uidai.mAadhaarPlus …
-
-
Woohoo! sounds like a lot of people are interested by
#Aadhaar. I know what I will do during my flight now
Show this thread -
A lot of people asking me how bad is the generation of the local database password in the
#Aadhaar#android#app. I published a small POC here: https://github.com/fs0c131y/AadhaarDatabasePasswordPOC … If you start the application multiple times you will see that the generated password are always the samepic.twitter.com/U5TRTHiWen
Show this thread -
Storing data in a local database is a common practise in the
#Android world. In the#Aadhaar#android app they store: - user password data (hash) - notification - Ki value - EKYC Profile Data - Biometric Prefs - Bio Lock Timeout - App Configurationpic.twitter.com/cCfaAKFVkB
Show this thread -
According to the official documentation, https://aadhaarapi.com/aadhaar-response-format/ …, EKYC Profile Data contains the following data: - User_Id - Aadhar_Id - Name - Dob - Gender - Address - Photo - ...pic.twitter.com/x1TI9uXXTM
Show this thread -
So
@UIDAI you are storing a biometric data on the local database: the photo of the user.Show this thread
End of conversation
New conversation -
-
-
Hey Elliot, about this issue u highlighted, I have some thoughts. A week late, cuz I anyway insist to
#DestroyTheAadhaar which has much bigger national & personal security issues in concept itself, so tech issues in an 'app' for the 1% are less relevanthttps://twitter.com/fs0c131y/status/951154910569140225 …
-
First, the app store description says we need to enter a password as soon as we install. Is that password different from this one? You don't have Aadhaar so u haven't actually tested the app and it may be humanly too much to evaluate the whole code (how many lines? I don't know.)
-
So on the optimistic side, I was hoping they are overriding this password with a password you enter or which is at least dependent on that password through some mathematical function.
-
But if you are 100% sure that is not the case, that can be a 'constructive feedback' we can give to
@UIDAI@Product_Nation@Khoslalabs@India_Stack etc whoever are involved in mAadhaar, though I do despise Aadhaar from the blackest bottom of my heart.#DestroyTheAadhaar -
Using user entered password for db storage should not be difficult because the Aadhaar information is downloaded only many steps after the user enters the password. Of course it might need encrypting everything again if user changes the password. I don't know if that's too hard
-
Second, maybe just maybe you are mistaken about 'biometrics settings' https://twitter.com/fs0c131y/status/951154910569140225 … As per
@UIDAI's own stance, biometrics are NEVER to be stored locally, right@ceo_uidai?@SkochSameer says he has experienced@UIDAI legal wrath for doing so.
-
So are you suggesting that mAadhaar app itself violates UIDAI's stance? Or did you use the word 'biometrics' loosely, because it is more catchy than say personal info or demographics? Yes I agree mAadhaar stores demographic info. So maybe that's what you meant? Please confirm.
-
Just to be clear, biometrics means iris, fingerprints, face photograph, while demographic info means name, gender, age, date of birth, address etc.
- 7 more replies
New conversation -
-
-
It's TOTP implementation was also shit.https://medium.com/karana/security-analysis-of-maadhaar-d01245053b3 …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
