Aadhaar was always going to be a privacy nightmare in the best of cases, but recent reports of severe data breaches and the ensuing Tribune investigation have shown how easy it is for random people to access Aadhaar data for as low as Rs. 500. The worst part is that, rather than owning up, the government went into cover-up mode, denying that the breach even happened, even as the man behind it admitted to selling Aadhaar data for peanuts.
Now, the controversial identification system is once again under fire, this time thanks to an investigation by a well-known French security researcher Baptiste Robert aka Elliot Anderson, who says that the recently-released mAadhaar app has major security issues that makes it “super easy to get the password for the local database”.
Anderson, for the uninitiated, is the same man who reported the presence of the EngineerMode APK in OnePlus’ OxygenOS, leading to severe controversy and backlash against the company.
According to Anderson, the Aadhaar app is saving all the biometric details in a local database that’s protected by a password. While that in itself is common practice, the fact that the app developers (KhoslaLabs) generate the password using a random number with 123456789 as seed and a hardcoded string db_password_123 is what’s now raising the hackles of privacy advocates. According to a proof-of-concept published by Anderson on Github, the generated password always remains the same, no matter how matter how many times to start the application.
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦♂️ pic.twitter.com/Ty7cPmOjAb
— Baptiste Robert (@fs0c131y) January 10, 2018
According to Anderson, UIDAI responded to him saying that the app stores data on the device itself, but that was never the point of contention. The things is, because the app doesn’t ‘actually’ generate a random password every time, if you lose your phone, the guy in control of it will have access to all your details even though you’re technically logged out from the app.