French security researcher Robert Baptiste, who goes by the name Elliot Alderson on Twitter, had made news when he showed the UIDAI’s official mAadhaar app to be insecure. After the UIDAI finally updated the mAadhaar app, the app is still vulnerable.
He has now published another video showing how the password security of the mAadhaar app can be bypassed to retrieve secure information of the Aadhaar holder by using a modified APK and physical access to the phone. A rooted phone is not necessary.
The APK is modified to bypass the requirement of the password.
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv
— Elliot Alderson (@fs0c131y) March 13, 2018
The failure of the Indian establishment to provide standard channels for providing feedback on vulnerabilities means that such vulnerabilities found are likely to be reported publicly and be picked up by malicious actors while the organization remains uninterested in securing their apps.
Alderson has currently gone on a rampage across various Indian websites demonstrating security flaws and leaks of data. He is currently trying to get in touch with ISRO and Apollo Hospitals about data leaks on their websites.
A data protection law cannot do much to protect data if there isn’t a will to secure it and be proactive in responding to reports of problems. This is a repeated phenomenon, where people who find vulnerabilities and would honestly like to report them are reduced to making a noise about them on social media in order to get someone to pay attention. This unnecessarily alerts hackers that there is a vulnerability to be found on specific sites or apps, based on whose attention is being sought.
Given the glacial speed of responding to reports and lack of proactive coordination with researchers reporting leaks (indeed some have been threatened with lawsuits for doing the right thing!), the process of bug reporting itself becomes an increased threat to security. Email addresses provided for developers rarely work to receive information on bugs. One wonders why they are provided at all.
The Indian government urgently needs to provide proper bug reporting channels and ideally a bug bounty programme to find and repair vulnerabilities in crucial digital infrastructure.