Profile picture
Elliot Alderson @fs0c131y
, 12 tweets, 10 min read Read on Twitter
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦‍♂️

play.google.com/store/apps/det…
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦‍♂️
It can be good also to remove the "developer" endpoint from the release apk...
To be continued 😏
cc @AndroidAuth @AndroidPolice @androidcentral @androidandme @Androidheadline @xdadevelopers @AndroidSPIN @TheHackersNews @verge @CNET @VICE @WIRED @JAMESWT_MHT @malwrhunterteam @hackerfantastic @LukasStefanko @ANDROIDPIT @FigaroTech @virqdroid @twandroid
Woohoo! sounds like a lot of people are interested by #Aadhaar. I know what I will do during my flight now 😁
A lot of people asking me how bad is the generation of the local database password in the #Aadhaar #android #app.

I published a small POC here: github.com/fs0c131y/Aadha…

If you start the application multiple times you will see that the generated password are always the same
Storing data in a local database is a common practise in the #Android world.

In the #Aadhaar #android app they store:
- user password data (hash)
- notification
- Ki value
- EKYC Profile Data
- Biometric Prefs
- Bio Lock Timeout
- App Configuration
According to the official documentation, aadhaarapi.com/aadhaar-respon…, EKYC Profile Data contains the following data:
- User_Id
- Aadhar_Id
- Name
- Dob
- Gender
- Address
- Photo
- ...
So @UIDAI you are storing a biometric data on the local database: the photo of the user.
unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Elliot Alderson
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Aadhaar #BenefitsOfAadhaar #India #android #playstore #app

More from @fs0c131y see all

Profile picture
In 1981, the Primrose fails on a beach of the North Sentinel Island, pushed by a typhoon. You can still see the wreckage on Google Map, in a creek, in the northwest. The crew was saved only by a helicopter operated by the Indian Navy.
Exact coordinates on Google Maps. Open the link, this Island is wonderful! google.com/maps/place/Nor…
Awesome article in French about the North Sentinel Island from @lemondefr lemonde.fr/international/…
Read 3 tweets
Profile picture
I have a @Frida question: How to deal with a HashMap? I'm intercepting a Java method, "this" has a Hashmap in his attributes. I want to print the content of this HashMap cc @oleavr @enovella_
cc @NowSecureMobile 👋
cc @fridadotre
Read 3 tweets
Profile picture
.@Paytm, the most used banking app in #India, just sent a dummy notification to his users in the middle of the night. Imagine the reaction of the guy (hacker?) when he realised that he just sent a notification to millions of people
Paytm published a tweet regarding this notification
Read 3 tweets

Related threads

Profile picture
Theres a certain guy/s pretending to be French security researcher exposing loopholes in #Aadhaar. Very charming! Why dont they tell you about the French military firm who implemented Aadhaar & even bought other CIA firm contracted by UIDAI? Now lets hear you say the name.
Wont you guys love to see the French mainstream media report against this French military firm taking control over #Aadhaar database & biometric profiles of all Indians? Isnt this tweet worthy for a security researcher, now that French & Indian govts have signed a secret deal?
I am hapoy to say French companies have invested over 20 billion euros in India... and developed the biometric technology that made it possible to register one billion Indians for the ID program Aadhaar.

- French President Francois Hollande on his visit to India in 2016.
Read 15 tweets
Profile picture
UIDAI forcing banks to ONLY hire Deloitte (a UK) firm for audits, giving it a monopoly, pay it ₹1,94,700 a unit is for the mandatory internal security audit for Aadhaar & also pay for the travel, boarding and lodging of Deloitte officials!
The #Aadhaar CIDR is neither w/UIDAI nor govt of India but is owned by a pvt US agency that is contractor for the FBI & CIA. Deloitte, the ONLY agency allowed by UIDAI to audit Aadhaar cybersecurity of Indian banks, also has an FBI connection! www2.deloitte.com/us/en/pages/ab…
Ti put his thread in context for those of you who are unfamiliar about what has been stated by army veterans before the Supreme Court about how India's Aadhaar biometric data base is practically in the hands of the FBI & CIA.
Read 5 tweets
Profile picture
Last #Aadhaar hearing (day 38) will begin shortly. Petitioners will conclude the rejoinder.
Senior advocate Gopal Subramanium will continue his submissions.
GS: Is Aadhaar really affirmative action? Is the act an enabler or is it in the guise of enabler? The act is not an instrumentality to deliver services. It is only a means of identification.
Read 41 tweets
Profile picture
#Aadhaar (day 35) hearing will begin shortly.
Advocate Zoheb Hossain will continue his submissions for State of Maharashtra and UIDAI.
ZH hands over a bunch of international charters and covenants to the bench on harmonization of socio-economic and civil political rights.
Read 43 tweets
Profile picture
#Aadhaar hearing. Gopal Sankaranarayanan, Adv. arguing for @ccsindia, intervenor in the matter.
DYC J begins by interjecting GSank to say one does have multiple identities but Aadhaar does not destroy those identities. As a father or a husband, of one's citizenship etc.
GSank: Aadhaar as a number who identifies me as a beneficiary of a subsidy, benefit or service.
Read 59 tweets
Profile picture
#Aadhaar hearing. KVV about to complete. He continues on proportionality and how the Act has not done the balancing.

(Internet issues inside the Court.)
Continuing internet issues.

KVV now referring to misinterpretation of LokNiti order by Union and challenges cell phone linking.

KVV concludes by pressing for extension even in Section 7 notifications. Pleading with A-G not take this in an adversarial manner.
Senior Adv Anand Grover now begins his submissions. He appears for @mathew111938.

His first point is that there are vast swathes of the Aadhaar project not even regulated by the Aadhaar Act.
Read 20 tweets

Trending hashtags

#Aadhaar #Aadhar #Auth #AadhaarVerdict #SupremeCourt #AadhaarJudgment #NeoFaceWatch #AadhaarSpies #aadhaar #DestroyTheAadhaarData #SC #FrenchKiss #SmartCities #FaceRecognition #AadhaarWarOnWomen #AadhaarFemicide #scobserver #Microsoft #NeoFaceReveal #CityNext #AadhaarScam #GoLive

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!