Hackers can bypass password lock on UIDAI’s mAadhaar app: Researcher

In a one minute long video posted on Twitter, a French security researcher demonstrated that the bad coding of the app paves way for an attacker to bypass the password mechanism.

Published: 14th March 2018 04:49 AM  |   Last Updated: 14th March 2018 05:05 AM   |  A+A-

Image for representational purpose only.

By Express News Service

HYDERABAD: UIDAI’s prestigious mAadhaar app, that allows you to save a digital version of the 12-digit unique identity card, is vulnerable to potential data breach, claims French security researcher Robert Baptiste.  In a one minute long video posted on Twitter, Baptiste demonstrated the flaw. 

The bad coding of the app paves way for an attacker to bypass the password mechanism of the app, tweeted out Robert Baptiste on Tuesday. He demonstrated the security flaw in the recently updated mAadhaar app in a 1:18 minute long video posted on Twitter. 

“The main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism of the app,” tweeted Baptiste. The UIDAI, however, is planning to add a feature called Virtual-ID as an extra layer of security. But it’s not sure if the new feature can resolve the issue.  

The mAadhaar app stores, user password data (hash), notification, Ki value, electronic-Know Your Customer (e-KYC)  profile data, Biometrics, Bio Lock Timeout and the App Configuration. 

The e-KYC contains information such as, “User Id, Aadhar Id Name, date of birth, gender, address and photo. UIDAI stores these biometric data in the user’s phone and if the phone is compromised, so is the information,” explained a cybersecurity researcher on the condition of anonymity. 

In January, Baptiste had pointed out four major flaws due to bad coding of the mAadhaar app in a series of tweets. These issues were later fixed after UIDAI released an update to the app.The mAadhaar app could be used as an alternate ID proof so one does not need to carry a physical copy of the document. 

The app helps the user carry Aadhaar number with demographic details, provides secure biometric authentication, generates Time-based One-Time Password (TOTP) instead of an SMS based OTP, allows Aadhaar details to be updated and share QR code and password protected eKYC (Electronic- Know Your Customer) data to retrieve accurate demographic information.


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the newindianexpress.com editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on newindianexpress.com are those of the comment writers alone. They do not represent the views or opinions of newindianexpress.com or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. newindianexpress.com reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp