Profile picture
Elliot Alderson
@fs0c131y
, 13 tweets, 5 min read Read on Twitter
So @uidai developers used the IMEI as a password for the local database of the mAadhaar #android app but why it is a problem? What are the dangers? Small thread 🔽🔽🔽
As said yesterday, they used sqlcipher which is a good thing
SQLCipher will encrypt the database. To decrypt it, you need to define a "password" and this is where the problems come
Developers: When you are using a lib, a tool or a SDK RTFM! Everything is written, you just have to read it.
The guys at @TeamZetetic, the authors of sqlcipher, published "SQLCipher Database Key Material and Selection" discuss.zetetic.net/t/sqlcipher-da…
It's crystal clear, the good practise is to take a passphrase from the user and mix it with a device id for example
This is more than clear: "that a significant part of the key material is a secret coming directly from the user when the application runs"
"Note that hardcoding a key in application code is not suitable for any secure implementation."
This one is for you @uidai, this is exactly what you did
As said in the text, let say your device has been compromised and I managed to retrieved the local database of the mAadhaar app.
The IMEI is a 15 decimal digits. Brute forcing the password of the db will take only few seconds
Interesting answer by a @TeamZetetic team member on the topic discuss.zetetic.net/t/sqlcipher-ho…
Nice article on how to hide the key of your database informit.com/articles/artic…
ffs if you want to improve your security and be a better developer, there is only one way: understand what you are using!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#android

More from @fs0c131y see all

Profile picture
Elliot Alderson
@fs0c131y
Hi @UIDAI,

This #Android app is asking their user to link their #Aadhaar card with the app. I thought it was illegal 🤔... and you?
The app description is priceless...
Apparently, nobody told to the guys in the "Made in #India" wagon that https exist.
Read 11 tweets
Profile picture
Elliot Alderson
@fs0c131y
Thread: I'm back from lunch, it's time to show you how to remove the root detection and the anti tampering mechanism from the mAadhaar app, the official #Android app of @UIDAI. 1/n
Like yesterday, I will work on version 1.1.4 of the application 2/n
The first step is the same 3/n
Read 23 tweets
Profile picture
Elliot Alderson
@fs0c131y
Thread: Tonight, I will try to find the password of the local database created on my phone by the mAadhaar app, the official #Android app of @UIDAI. I'm not sure I will manage to do it but hey keep in touch 🤷‍♂️ 1/n
The goal of this thread is to share with you the process and the tool I'm using 2/n
For my recent followers: I worked on this app last year, the result was not good for them... 3/n
Read 14 tweets

Related threads

Profile picture
Dustin LaPres
@DstnLap
#Thread Now is NOT the time for ridiculous partisan chicanery or fighting amongst ourselves. We have multiple emergent threats: RU, China, DPRK, & IRAN, not to mention the Terrorist problem in the Middle East. We are at a critical aperture defenseone.com/threats/2019/0… via @defenseone
2.) In our Nation's Geopolitical future. We should be taxing ourselves as much as humanly possible so that we may achieve some mission critical goals. We MUST upgrade our National infrastructure-if we don't bring our Grid & infrastructure into the 21st Century we are in grave
3.) Danger every single day because any one of those Nation States could throw the country into total blackout via cyberattack on our Grid & SCADA Systems. We have Gov. Offices still running Win XP for God's sakes...A blackout, if done properly could last for a year or more which
Read 9 tweets
Profile picture
indus3 [Jan/3➞₿🔑∎] proofofkeys.com
@indvs3
Some of you may have noticed that I'm sporting a new tag in my screen name. It's not just a fad though, allow me to explain in this lil ol' #thread:
1/ As you (should) know, january 3rd marks the actual birthday of #Bitcoin, as it was the day that Satoshi mined the first blocks and hence set the Bitcoin story into motion. Upcoming jan 3rd will be the 10th anniversary and this would be an obvious time for celebrations.
2/ @TraceMayer took the initiative of a call-to-arms for all HODLers-of-last-resort, to join him and quite a few other prominent bitcoiners like @giacomozucco, @theonevortex and @CaitlinLong_, just to name some, and also sport the same tag in their screen name.
Read 27 tweets
Profile picture
AnupamSaraph
@AnupamSaraph
#Thread on the Ghosts of #Aadhaar

Are subsidies, benefits and services from the Consolidated Fund of india being siphoned by the Ghosts and duplicates of Aadhaar?
In order to assign an #Aadhaar number at least two Primary IDs are required by the UIDAI - one as proof of identity and another as a proof of address. uidai.gov.in/enrolment-upda…
According to data provided by the UIDAI, in its Affidavit to the SC, only 60 crores could have used the voter ID, 29 crores PAN,17.37 crores a drivers license, 15.17 crores a ration card and 6.9 crores a Passport as their Primary ID to obtain a Secondary ID, the #Aadhaar
Read 20 tweets
Profile picture
GreatGameIndia
@GreatGameIndia
#THREAD
Gemalto has apologised for publishing erroneous report on Aadhaar data breach. But why would a world class firm mislead the people of India? What has Gemalto to gain from it? Does Gemalto has stakes in #Aadhaar? Lets see which journalist has the courage to report this.
To understand whats really going on you must first know the background of Gemalto and where it comes from, that would bring things into clear perspective. Then we would address the Aadhaar issue and how the People of India is being mislead by UIDAI.

Neville Pattinson Vice President, Government affairs at Gemalto is board member of Smart Card Alliance a RFID industry group, also serving US Department of Homeland Security's Data Privacy & Integrity Advisory Committee - inchanrge of various Govts biometric programs like Aadhaar
Read 20 tweets
Profile picture
Subomi
@subomiplumptre
I JUST WANT TO FEEL SOMETHING | I recently started drinking again after a long time of not drinking. #Thread #Nigeria #Unhappiness
Yesterday, as I considered my glass of single malt whiskey, I remembered a friend who wrote about sleeping with random women. After I read his article, I asked why he did it, since he didn't seem like the "promiscuous" type. He said he just wanted to feel something.
"Life is hard in Nigeria", he said. "I go to work every day and am stuck in traffic for 3 hours. I don't really connect with the people around me, so there's no one to ask how my day went. Each day is the same. I needed to feel something."
Read 9 tweets
Profile picture
V. Anand | வெ. ஆனந்த்
@iam_anandv
Looks like #mAadhaar is back in news again because of @fs0c131y . For those who are wondering, what the problem is with the OTP code, of mAadhaar, a short primer follows: 👇
1. Clients need secrets to talk with servers. Usually clients need to authenticate themselves. (Password).
2. In this case, the password is the OTP. Unlike a password, which is in *your head*, the OTP is a dynamic password sent to the phone via SMS. So if OTP is revealed?
3. Whoever gets the OTP, becomes you. This is not new type of attack, but one that we see on Banking all the time. So what does mAadhaar use OTP for?
4. It exchanges a secret with the Android App. And the secret is then used to generate VID, TOTP etc.
Read 8 tweets

Trending hashtags

#AAnon #Ghazni #Internet #REKT #Fil #MSDyn365 #MJ #Hindutva #PatriotsUnited #Russians #KeralaFloods #MinutesToMidnight #MSM #YouTube #SoundCloud #BuildingBridges #RaceRebels #February1st #ThirdTerm #MSDyn365FO #VLC #DworkinReport #Aadhaar #Hinduness #Election2016
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!