1. Hi @UIDAI and @KhoslaLabs
! Let me show you why it's not a good idea to keep a "debug feature" in the #Aadhaar #Android app you released
-
-
3. If the flag isLogger is equal to true, every time the writeLog method is called a log file is created in /sdcard/mAadhaar/pic.twitter.com/CP18EYdDsE
Show this thread -
4. The writeLog method is called a lot in the code. They log: - request url, method, body - decoded response - setting data - profile data - ...pic.twitter.com/d99OWcQ665
Show this thread -
5. To enable the logging you just have to: - unpack the
#Aadhaar#Android app with#apktool - change v1 to v0 in one line - repack the app with apktool - resign the apppic.twitter.com/wV5mcgHF6w
Show this thread -
6. Install the app, login and voila! You can find the log file in /sdcard/mAadhaar/pic.twitter.com/J20Q7yd7Gv
Show this thread -
7. If an attacker repack the app with the logging activated and distribute it, all your
#Aadhaar data will be available on the sdcard in clear. After that, it super easy for the attacker to upload this log file to his server.Show this thread -
8. So
@UIDAI and@KhoslaLabs, can you ask to your interns...sorry I meant: can you ask to your developers to remove this "debug feature" of the APK?Show this thread - End of conversation
New conversation -
-
-
Public? What? Really?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.