A French security researcher claims that the UIDAI’s official app mAadhaar is vulnerable to potential data breach even after UIDAI has updated it.
The researcher Robert Baptiste posted a one minute long video on Twitter in which he demonstrated the security flaw in the recently updated mAadhaar app.
In the video posted he showed a way to retrieve secure information of the Aadhar card holder by using a modified APK and physical access to the phone. A rooted phone is not necessary
“The main issue with the Aadhaar Android app is that if an attacker has a physical access to the device, he can easily bypass the password mechanism of the app,” tweeted Baptiste.
The mAadhaar app is the digital copy of Aadhaar card apart from aadhar details it stores, user password data (hash), notification, Ki value, electronic-Know Your Customer (e-KYC) profile data, Biometrics, Bio Lock Timeout and the App Configuration.
While, e-KYC contains information such as, “User Id, Aadhar Id Name, date of birth, gender, address and photo. UIDAI stores these biometric data in the user’s phone and if the phone is compromised, so is the information,” said a researcher.