Hackers can bypass password lock on UIDAI’s mAadhaar app: Researcher
By Express News Service | Published: 14th March 2018 04:49 AM |
HYDERABAD: UIDAI’s prestigious mAadhaar app, that allows you to save a digital version of the 12-digit unique identity card, is vulnerable to potential data breach, claims French security researcher Robert Baptiste. In a one minute long video posted on Twitter, Baptiste demonstrated the flaw.
The bad coding of the app paves way for an attacker to bypass the password mechanism of the app, tweeted out Robert Baptiste on Tuesday. He demonstrated the security flaw in the recently updated mAadhaar app in a 1:18 minute long video posted on Twitter.
“The main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism of the app,” tweeted Baptiste. The UIDAI, however, is planning to add a feature called Virtual-ID as an extra layer of security. But it’s not sure if the new feature can resolve the issue.
The mAadhaar app stores, user password data (hash), notification, Ki value, electronic-Know Your Customer (e-KYC) profile data, Biometrics, Bio Lock Timeout and the App Configuration.
The e-KYC contains information such as, “User Id, Aadhar Id Name, date of birth, gender, address and photo. UIDAI stores these biometric data in the user’s phone and if the phone is compromised, so is the information,” explained a cybersecurity researcher on the condition of anonymity.
In January, Baptiste had pointed out four major flaws due to bad coding of the mAadhaar app in a series of tweets. These issues were later fixed after UIDAI released an update to the app.The mAadhaar app could be used as an alternate ID proof so one does not need to carry a physical copy of the document.
The app helps the user carry Aadhaar number with demographic details, provides secure biometric authentication, generates Time-based One-Time Password (TOTP) instead of an SMS based OTP, allows Aadhaar details to be updated and share QR code and password protected eKYC (Electronic- Know Your Customer) data to retrieve accurate demographic information.