wordpress blog stats
Connect with us

Hi, what are you looking for?

The mAadhaar app possibly brings risk of data, identity and monetary theft for users

by Vidyut

French security researcher who goes by the persona ‘Elliot Alderson’ (Eliot Alderson is a character in the TV Show Mr Robot) revealed what appear to be serious flaws in the mAadhaar app recently. While Elliot described the risk of data theft due to the vulnerabilities, the alleged flaws actually are more dangerous than just leaking information and  put Aadhaar holders at risk of data, identity and monetary theft.

According to Google Playstore, the mAadhaar app has between 1 and 5 million installs.

Alderson demonstrated how having access to a phone containing the mAadhaar app could let an attacker retrieve the Aadhaar information due to poor coding practices being used while making the app.

The hard-coded string and lack of proper randomization lead to a predictable password being generated that can easily be hacked and used to access the data secured by the app. He published a proof of concept to demonstrate how that worked.

And later published a short video showing how it would take less than a minute to access the Aadhaar details on the phone if a hacker knew what they were doing.

Knowing the Aadhaar number provides information like the name of the bank where the Aadhaar holder has an account. An unauthorized person knowing your Aadhaar ID and having access to the SIM linked to it is extremely risky.

How this could put the user at risk

If an attacker has access to the mobile phone, accessing the Aadhaar number allows the attacker to install one of several Aadhaar Pay apps that transfer funds between bank accounts linked with two Aadhaar numbers based on Aadhaar authentication alone.

Authorizing the app would be a simple process given that the mAadhaar app can only be used from the phone that contains the SIM linked to the Aadhaar number being stored. mAadhaar being installed on the phone means that the Aadhaar Pay apps could be authenticated from that phone itself. Within a matter of minutes, a malicious attacker could transfer funds from the bank account connected to the Aadhaar ID to another bank account and Aadhaar ID controlled by them (and likely to be untraceable).

As a consequence, for someone with physical access to the phone can not just access the authenticated Aadhaar data of the Aadhaar holder, a person with the kind of access to hack the phone could also steal the Aadhaar holder’s money if they have linked the Aadhaar to a bank account or they could use the SIM found on the phone to receive an OTP and change the phone number linked to the Aadhaar card in order to hijack access to it for further misuse.

This is not so farfetched in a country with widespread lack of awareness about digital security. For example, someone may not have removed their SIM and SDcard while giving a phone to a mobile repair person. It would not be very hard for someone to access the Aadhaar information on any phone with mAadhaar app installed that comes in for repairs, giving them a ready supply of Aadhaar cards to exploit easily.

It has been 5 days since Alderson first reported the vulnerabilities in the mAadhaar app, and so far, the app has not been updated since the 22nd of July 2017, even though the UIDAI’s playstore account has been actively uploading test apps, and deleting them as soon as Alderson commented on their amateurish work. Alderson suspects, that in spite of all the prompt activity, if the mAadhaar app has not been updated in spite of the vulnerabilities exposed, the UIDAI may be unable to update the mAadhaar app. This could happen if they had lost the release key, which would be required for updating the app.

If what Alderson suspects is correct, the implications are far more serious, as there would not be an update for the mAadhaar app and thus the lakhs of installed apps on phones would never be updated and would remain a permanent security breach unless users independently uninstalled them. Even if UIDAI removed the mAadhaar app from the playstore altogether, the existing users would still have the app, and thus remain vulnerable in the absense of an update fixing the serious security flaws.

This basically means that if the UIDAI is not able to update its app, it leaves up to 5 million users vulnerable to identity theft for as long as Aadhaar exists and financial fraud for as long as the Aadhaar bridge exists and allows money transfers on the basis of the information stored on the phone.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


The Indian government has urged states to eliminate “proxies” during the COVID-19 vaccine rollout by using Aadhaar to identity beneficiaries. The Empowered Group on...


Rejected payments continue to hamper the Mahatma Gandhi National Rural Employment Guarantee (MNREGA) program due to authentication failures or bank/payment system problems, a report...


The CoWIN app — short for COVID Vaccine Intelligence Network — will use an Aadhaar-based authentication system for the eventual rollout of COVID-19 vaccines,...


Aadhaar authentication will be used on a voluntary basis to create Unique Health Identifiers (UHID) for citizens, according to a gazette notification issued by...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ