The week hasn’t started on a good note for UIDAI, the brains behind Aadhaar, which currently houses data of over 119 crore people in the country. After being scrutinised for its database security, courtesy the Tribune report, they’ve got new concerns now – this time regarding the Aadhaar mobile app.
Also Read: Unauthorised Access to Aadhaar Possible: The Tribune to UIDAI
According to Baptiste Robert, who goes by the alias Elliot Anderson on Twitter, has done a detailed testing of the mAadhaar Android app and given it 0 out 10 for its security standards. Speaking to FactorDaily earlier this week, he made sure to point out that the app has been made by interns or junior developers.
Elliot has been a constant presence on Twitter over the past few weeks, and has been constantly updating tweeple about the quality of the mAadhaar app, which is of grave concern to everyone right now.
Revealing his true identity and more about himself, Elliot mentioned that he has been researching the app, and has been staggered by the level of vulnerability the app has been designed around. As far his background is concerned, Elliot claims to be “working as an Android developer and an Android Open Source Project (AOSP) expert for European companies.”
So what got him digging into the mAadhaar app in the first place? To which Elliot mentions the fact that someone on Twitter had tipped him off to take a look at UIDAI’s app and its concerns.
At first, I didn’t know what Aadhaar is. It seems to be something with strong cultural and political ramifications. I’m clearly not legitimate to give an advice on it. I’m limiting myself to the security of the Android app.Elliot Anderson to FactorDaily
This clearly points out to the lack of any political or ideological motivation behind his move, and fair play to him when he admits that he’s merely looking at it from a security point of view of the Android app.
Also Read: What’s mAadhaar for Android, and How Does It Work?
Digging Dirt on mAadhaar
So, what did Elliot manage to unearth from his findings, and how bad is it for the Indian citizen, who’s data resides with the UIDAI?
Among the many points that Elliot highlights in the interview, the most eye-catching was the part where he said that people at UIDAI seem to have put the same password at the back-end for every user. This flaw potentially enables hackers to access information of all the people on the Aadhaar database with a single password.
He even posted a detailed video on how any hacker can access your account on the mAadhaar app without even knowing your password.
While it’s hard for us to verify those claims, leaving the back-end channels of the app open to such vulnerability doesn’t give us any confidence either.
In addition, Elliot also pointed out to few malware versions of the mAadhaar app that are available on the Google Play Store. He even suggested that UIDAI might have lost access to the primary that lets them update the app (citing the last update timeline as July 2017).
All this is just the tip of the iceberg, and after questioning whether UIDAI actually has a security team in place, his only advice to the authority was to get experienced developers on board, if they want any hopes of fixing the issues at large, which he believes can still be be fixed.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)