Twitter user points out mAadhaar app security flaw that can be used to steal data

Jayaditya Chakrabarty
By Jayaditya Chakrabarty
4 Min Read

Elliot Alderson – a name TV series freaks would know as the protagonist of a popular TV series Mr. Robot. But someone is using this name on Twitter and exposing some critical security flaws in the mAadhaar app, which happens to be the hottest and most debatable thing these days. This Twitter user, claims that the user data can be stolen if someone has physical access to the victim’s phone.

In this tweet thread, he explained the flaw and pointed out the security issues the app is having. As per this guy, it is very easy to get the password from the local database since the mAadhaar is saving user’s Aadhaar-related data locally which is protected with a password.

mAadhaar app

To generate the password, he used a random number with 123456789 as seed and a hardcoded string db_password_123. Also, the debug feature lets someone repack the app with the logging activated and distribute it so that the Aadhaar data will be available on the SD card. Then the attacker can easily upload the log file to his server, the debug feature is enabled by default for the mAadhaar app.

- Advertisement -

As he tweeted this to UIDAI, they were quick to respond saying that the mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise. Here’s his tweet and the response from UIDAI:

He also showed proof of an Aadhaar database password generator, which according to him generates the same password all the time which makes it relatively easier to crack them. However, it is not sure whether this works in real life or not.

- Advertisement -

This is not the first time someone has shown flaws in Aadhaar. Earlier, an Engineering Graduate revealed how he could get access to the database using e-KYC Verification app. Just last week, a report revealed that a major security loophole is present in the Aadhaar database.

That loophole reportedly made it easy for anyone to get unrestricted access to the database by paying as low as Rs. 500 or around $8. Now, this new revelation may make many of us have lesser hope for the UIDAI and can also abolish the claims made by the Government and UIDAI that Aadhaar data is in safe hands.

Share This Article
Ths guy deserves a godamn award for being lazy! When he's not under workload, he can be found playing Counter-Strike sometimes, watching animes or hibernating like a cat! You can connect to him via social media using the icons below!
Leave a comment

Elliot Alderson – a name TV series freaks would know as the protagonist of a popular TV series Mr. Robot. But someone is using this name on Twitter and exposing some critical security flaws in the mAadhaar app, which happens to be the hottest and most debatable thing these days. This Twitter user, claims that the user data can be stolen if someone has physical access to the victim’s phone.

In this tweet thread, he explained the flaw and pointed out the security issues the app is having. As per this guy, it is very easy to get the password from the local database since the mAadhaar is saving user’s Aadhaar-related data locally which is protected with a password.

mAadhaar app

To generate the password, he used a random number with 123456789 as seed and a hardcoded string db_password_123. Also, the debug feature lets someone repack the app with the logging activated and distribute it so that the Aadhaar data will be available on the SD card. Then the attacker can easily upload the log file to his server, the debug feature is enabled by default for the mAadhaar app.

- Advertisement -

As he tweeted this to UIDAI, they were quick to respond saying that the mAadhaar uses a local db to store the user preferences on the user’s device. This data is application preferences as created by the user on his/her phone. The app does not capture, store or take any biometric inputs. So the question of biometrics being compromised does not arise. Here’s his tweet and the response from UIDAI:

He also showed proof of an Aadhaar database password generator, which according to him generates the same password all the time which makes it relatively easier to crack them. However, it is not sure whether this works in real life or not.

- Advertisement -

This is not the first time someone has shown flaws in Aadhaar. Earlier, an Engineering Graduate revealed how he could get access to the database using e-KYC Verification app. Just last week, a report revealed that a major security loophole is present in the Aadhaar database.

That loophole reportedly made it easy for anyone to get unrestricted access to the database by paying as low as Rs. 500 or around $8. Now, this new revelation may make many of us have lesser hope for the UIDAI and can also abolish the claims made by the Government and UIDAI that Aadhaar data is in safe hands.

Share This Article
Ths guy deserves a godamn award for being lazy! When he's not under workload, he can be found playing Counter-Strike sometimes, watching animes or hibernating like a cat! You can connect to him via social media using the icons below!
Leave a comment