1. Hi @UIDAI and @KhoslaLabs
! Let me show you how to bypass the protection mechanism you set up and run the #Aadhaar #Android app on a rooted phone.
-
-
7. A basic protection against this unpack/repack is to check if the apk certificate had been modified. If this mechanism detect that your app had been modified, it will not start the app. They have a getApkCertificateDigestSha256 method in their app but it's not used...
pic.twitter.com/bTecaOtm2z
Show this thread - End of conversation
New conversation -
-
-
Ok so the security of an app can be weakened by changing the app.... Isn't that true of anything? If they used a cert check, you could change the program code to bypass that check too. What's your point here?
-
As well said by
@troyhunt in his blog post, nothing is "Hack proof" but you can protect yourself against basic attack when you handle the data of 1.2 billion of people... -
Someone who recompiles the app so it can run on their rooted device is only hacking themselves. Unless you are talking about someone redistributing such an apk - but that would be the same risk with any app. Would your suggestion be to send the apk sig with API reqs?
-
No, you are wrong on this point, you can hack an entire service, access other user data for example, by recompiling an app
-
Even if that's true, it's not a problem unique to Aadhaar. Anyone can recompile any app. Anyone can 'hack' a website w liberal use of chromebug. I dont think 'someone could change the code' is a legitimate security flaw (as long as APIs are secure & dont implicitly trust clients)
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.