Elliot Alderson, the French security researcher who tweeted a series of tweets about the vulnerabilities in the UIDAI’s mAadhaar app believes that the government may have lost the release key that allows them to update the app.

He bases this on several observations made across tweets. The first is that both Khosla labs as well as the UIDAI’s playstore account have been quick to act on tweets made by him in some form of the other. The Khosla Labs github account took off the SDK for the Aadhaar bridge from their github within hours of Elliot tweeting about it. The other is that UIDAI’s playstore account appears to have uploaded some test apps that appeared to attempt encryption correctly using come copy-pasted sample code and then deleted them when Elliot tweeted ridicule about the amateurish behavior from an organization of the nature of UIDAI.

So clearly there are people paying attention to his tweets and acting on them. Which makes it inexplicable why they have not updated the vulnerable app already.

Despite the series of tweets explaining the vulnerabilities in the mAadhaar app, some of which should not be too time consuming to fix, the app has not been updated. The app has not been updated since the 22nd of July 2017.

If Elliot is correct in his speculation, the implications are fairly serious. An estimated 10 to 50 lakh users have installed the vulnerable app on their phones which cannot be updated if the UIDAI is not able to upload an updated version, leaving their phones vulnerable to hacks. Even if the UIDAI publishes an improved version of the app, users would not know to switch to it, as there would be no update notification for switching to a different app.

I hope Elliot is wrong, though the incompetence of the UIDAI so far leaves one with little hope.

Update: Almost a month after the original vulnerabilities were tweeted, the app remains without an update. This gives credence to Elliot’s claim that the UIDAI may have lost the release key.


Vidyut

Vidyut is a commentator on socio-political issues with a keen understanding of tech and policy. She has been observing and commenting on Aadhaar since 2010 from a perspective of human rights, democracy and technological robustness.

Leave a Reply

Your email address will not be published. Required fields are marked *