UIDAI’s claims of hack-proof nature of the Aadhaar database and the mAadhaar app’s robust security has been debunked time and again, but UIDAI has always been in denial mode. One person in particular, Baptiste Robert aka Twitter’s Elliot Alderson, a French cybersecurity expert has warned about vulnerabilities in the mAadhaar app as well as other Indian apps and services multiple times. But despite his claims of finding Aadhaar data in the wild, UIDAI maintained that Aadhaar and UID remains very secure in a long Tweetstorm last week.
Alderson today released a video in response to UIDAI’s boastful claims of security. Titled “How to bypass the password protection of the official Aadhaar android app in 1 minute.”, it details a relatively simple method to evade the mAadhaar app’s so-called robust security measures.
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv— Baptiste Robert (@fs0c131y) March 13, 2018
Only a few lines of code are needed to bypass the password security protocol of the app, which is an elementary error. As per the video uploaded by Alderson, one only needs to have physical access to someone’s smartphone which has a modded mAadhaar app installed on it. Once a command, which is nothing more than a few lines of code, is executed, the mAadhaar app takes the hacker straight to the password reset page, without even asking to enter details like Aadhaar number and the old password.
The APK used has been tampered. To conduct the attack, the attacker will need this APK + a physical access to the victim phone
— Baptiste Robert (@fs0c131y) March 13, 2018
Moreover, one does not even have to root the stolen smartphone or perform complex hacking steps to bypass the mAadhaar app’s security firewall and access the Aadhaar details. The sheer ease with which the app’s poor security has been dodged is scary, and will surely give more sleepless nights to UIDAI chief Ajay Bhushan Pandey.
UIDAI’s attitude towards the security expert’s actions has been ‘unfriendly’ to say the least, indirectly labeling him as an ‘unscrupulous element’ whose claims should not be taken seriously. Well, now that the video has surfaced and has seemingly laid bare the truth of UIDAI’s claims, it remains to be seen what storm it stirs and what lesson UIDAI learns from the bitter realization.
