Unveiling the Aadhaar Security Breach Incident

Abhinav Srivastava, an IIT Kharagpur graduate, developed an Android app that exposed a serious security vulnerability in the Aadhaar system. The app utilized a publicly available API lacking encryption and validation measures, leading to unauthorized access to Aadhaar data. Despite intentions to combat fake Aadhar cards, the app faced scrutiny, highlighting the importance of secure development practices and the implications of security lapses in critical systems.

• Aadhaar
• Security Breach
• Abhinav Srivastava
• Android App
• Public API

legolasm Follow

Uploaded on Sep 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Security through obscurity and fear Abhinav Srivastava 1

2. Who am I ? IIT Kharagpur graduate 2009, started career as Security researcher at iViZ Security Founded Qarth Technologies with Govt funding and incubation support at IIT Madras 2011 Developed first version of secure UPI architecture in 2012 Startup acquired by Ola 2016. Now works at Ola Innovation labs on connected cars platform 2

3. Why I am here? 3

4. What exactly happened ? An android app was discovered on play store providing aadhaar data via an OTP The publisher of the app (my personal email) was not an authorised Aadhaar eKYC agency FUD !!! 4

5. How was the app working ? App was using a publicly available API developed by NIC which was used in one of their app named eHospital 5

6. What was the Security Vulnerability ? No HTTPS, No SSL Pinning in eHospital App No request and response payload encryption Password stored in android app No demographic validation and rate limiting on server Basically an insecure public API over the globe for providing aadhaar details through OTP 6

7. Why developed such an app? 7

8. Why developed such an app? Fake Aadhar is a serious problem Need an easy way to validate the Aadhar number A simple android app can empower the citizens to verify an Aadhaar Card in seconds Never save user s aadhaar data in any form in the process. 8

9. Why was the hype? Case tagged as a network security issue Hyped up by media as national security breach Nobody - media/police understood the technology behind the app Overaggressive approach by police and judiciary - State vs Abhinav Srivastava 9

10. Key Questions? Does Aadhaar database got hacked ? - NO Was it a National Security Issue ? - NO Is Aadhar ecosystem secure? NO Is there any other security loophole ? MAYBE 10

11. Q & A ? 11