1. Hi @UIDAI and @KhoslaLabs
! Let me show you why it's not a good idea to keep a "debug feature" in the #Aadhaar #Android app you released
-
Show this thread
-
2. In the
#Aadhaar#Android app they defined a flag called isLogger which is set to false by defaultpic.twitter.com/PPo16zVLEI
2 replies 19 retweets 28 likesShow this thread -
3. If the flag isLogger is equal to true, every time the writeLog method is called a log file is created in /sdcard/mAadhaar/pic.twitter.com/CP18EYdDsE
2 replies 20 retweets 29 likesShow this thread -
4. The writeLog method is called a lot in the code. They log: - request url, method, body - decoded response - setting data - profile data - ...pic.twitter.com/d99OWcQ665
3 replies 17 retweets 21 likesShow this thread -
5. To enable the logging you just have to: - unpack the
#Aadhaar#Android app with#apktool - change v1 to v0 in one line - repack the app with apktool - resign the apppic.twitter.com/wV5mcgHF6w
3 replies 21 retweets 33 likesShow this thread -
6. Install the app, login and voila! You can find the log file in /sdcard/mAadhaar/pic.twitter.com/J20Q7yd7Gv
1 reply 25 retweets 33 likesShow this thread -
7. If an attacker repack the app with the logging activated and distribute it, all your
#Aadhaar data will be available on the sdcard in clear. After that, it super easy for the attacker to upload this log file to his server.2 replies 35 retweets 40 likesShow this thread -
8. So
@UIDAI and@KhoslaLabs, can you ask to your interns...sorry I meant: can you ask to your developers to remove this "debug feature" of the APK?14 replies 63 retweets 106 likesShow this thread -
cc
@AndroidAuth@AndroidPolice@androidcentral@androidandme@Androidheadline@xdadevelopers@AndroidSPIN@TheHackersNews@verge@CNET@VICE@WIRED@JAMESWT_MHT@malwrhunterteam@hackerfantastic@LukasStefanko@ANDROIDPIT@FigaroTech@virqdroid@twandroid1 reply 4 retweets 16 likesShow this thread
@reporteric @OmarBelkaab @OtaXou @gkallenborn @LucieRonfaut @LucieRonfaut @MishaalRahman @Numerama @bviglia @SriramVSharma @zpring @stshank @campuscodi @lilyhnewman
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.