Profile picture
Elliot Alderson @fs0c131y
, 12 tweets, 10 min read Read on Twitter
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦‍♂️…
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦‍♂️
It can be good also to remove the "developer" endpoint from the release apk...
To be continued 😏
Woohoo! sounds like a lot of people are interested by #Aadhaar. I know what I will do during my flight now 😁
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.

I published a small POC here:…

If you start the application multiple times you will see that the generated password are always the same
Storing data in a local database is a common practise in the #Android world.

In the #Aadhaar #android app they store:
- user password data (hash)
- notification
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration
According to the official documentation,…, EKYC Profile Data contains the following data:
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ...
So @UIDAI you are storing a biometric data on the local database: the photo of the user.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!