, 13 tweets, 5 min read Read on Twitter
So @uidai developers used the IMEI as a password for the local database of the mAadhaar #android app but why it is a problem? What are the dangers? Small thread 🔽🔽🔽
As said yesterday, they used sqlcipher which is a good thing
SQLCipher will encrypt the database. To decrypt it, you need to define a "password" and this is where the problems come
Developers: When you are using a lib, a tool or a SDK RTFM! Everything is written, you just have to read it.
The guys at @TeamZetetic, the authors of sqlcipher, published "SQLCipher Database Key Material and Selection" discuss.zetetic.net/t/sqlcipher-da…
It's crystal clear, the good practise is to take a passphrase from the user and mix it with a device id for example
This is more than clear: "that a significant part of the key material is a secret coming directly from the user when the application runs"
"Note that hardcoding a key in application code is not suitable for any secure implementation."
This one is for you @uidai, this is exactly what you did
As said in the text, let say your device has been compromised and I managed to retrieved the local database of the mAadhaar app.
The IMEI is a 15 decimal digits. Brute forcing the password of the db will take only few seconds
Interesting answer by a @TeamZetetic team member on the topic discuss.zetetic.net/t/sqlcipher-ho…
Nice article on how to hide the key of your database informit.com/articles/artic…
ffs if you want to improve your security and be a better developer, there is only one way: understand what you are using!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!