Hi #Aadhaar
! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...
http://play.google.com/store/apps/details?id=in.gov.uidai.mAadhaarPlus …
-
-
According to the official documentation, https://aadhaarapi.com/aadhaar-response-format/ …, EKYC Profile Data contains the following data: - User_Id - Aadhar_Id - Name - Dob - Gender - Address - Photo - ...pic.twitter.com/x1TI9uXXTM
Show this thread -
So
@UIDAI you are storing a biometric data on the local database: the photo of the user.Show this thread
End of conversation
New conversation -
-
-
Hi, where are you getting this source code?
-
Decompilation
-
Using what tools? Isn't the code obfuscated?
-
Not sure about the tools being used specifically, but I highly doubt that obfuscation is being applied, so it should be straightforward. I also find the value of code obfuscation as a security practice questionable.
-
I’m a little lost here. I have no experience with Android apps, but if it’s that easy to get to such high-level source code, wouldn’t people be ripping of app code left and right? I mean, how do you get camel-case symbol names?
-
I'm not familiar with Java/Android either, but I've done some decompilation work in C#, and apparently it's possible to reconstruct almost the original code in C#. It's not like C/C++ where most of the information is lost.
-
It is really easy to get the java souce code if the build does not use obfuscation. Unzip the apk, you will get a file called classes.dex And there are so many free / open source online and stand alone dex to java decompilers.
-
So I've been educating myself. However, I haven't been able to find any files that contain the generateDBPassword method mentioned earlier in this thread.
End of conversation
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@Ratik96 what do you make of this thread? -
quite scary.
End of conversation
New conversation -
-
-
Yes, I am agree that madhaar android app is not that much secure.. but attacker does not need to crack local db password to get user adhaar data because in here(India) he/she can get adhaar detail very easily.. Developers needs to secure server side..
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I don't understand, they didn't Dex'd their app??
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Havnt workd on Android,but how hard to de and re-compile the mAadhaar App & (i) use a non-registered phone,(ii) de-crypt the local database and upload it to 3rd party serves,(iii) get a third party app to specifically check if exist ==mAadhaar App and get all the info from there?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

