Part 1 – Truth Behind Propaganda Against mAadhaar Security

Note: I generally never get involved in controversies but I’m observing few people outside India (self-claimed security researchers) trying to spread propaganda against the security of Indian Government Apps. Moreover, the intention behind these activities was not to help the government/people but to scare millions of people and to disturb the peace. This blog will help you to find the answer by yourself – is it really security threat or just a propaganda?

Also, this post is an honest security analysis of talk and not biased on any political agenda. This is a purely technical review.

I respect the security community but its bit worrisome to see some people making false claims about things that they probably do not understand. Being a security analyst myself, I am in a position to validate some of these claims.

How I qualify to make an analysis of talk on a security breach of mAadhaar?

  • In the last 2 years, I’ve pentested more than 300+ mobile apps (iOS + Android) of top companies and also won a bounty of (~USD 200,000) in just mobile section.
  • I’m the author of the book “Learning iOS Penetration testing” which is dedicated to mobile app security.
  • I also lead OWASP iGoat– iOS App focused to learn mobile app security.
  • I also gave a talk at DEFCON AppSec Village (Las Vegas) just after mAadhaar security propaganda talk (here is a photo of agenda)

Screenshot 2020-05-07 at 1.27.27 PM.png

One fine day, I was surfing the internet and surprised to see some news as Aadhar/app got hacked!

Screenshot 2020-05-07 at 1.30.55 PM.png

Other news was like

Screenshot 2020-05-07 at 1.34.28 PM.png

Now as a security engineer, I thought there was a breach in Aadhar data or some kind of zero-day!

I checked a couple of tweets from the self-claimed security researcher but frankly, it didn’t make me any sense or there was no such indication of security breach / some kind of zero-day.

On August 11, 2019, I was in Las Vegas for Defcon (and also for AppSec Village). I was damn excited because of two reasons:

  1. I was about to attend talk “History of the worst Android app ever: mAadhaar” in person and
  2. I was also going to talk about mobile security just after that talk.

However, after a talk from the self claimed security researcher, I was blank for some time! I had no words as it didn’t make any sense of described vulnerabilities. Vulnerabilities discussed were not even near to some kind of security breach or zero-day or stealing of biometric data.

Here is quick decoding of his talk:

  1. Root Detection Bypass Using Frida

He was able to bypass root detection in the mAadhaar app using Frida.

Screenshot 2020-05-07 at 1.45.59 PM.png

Conclusion: If you pentest 100 mobile apps, you will be able to easily bypass root detection in more than 90 apps. Again this is client-side validation and it’s like a cat and mouse game! Tomorrow even if you add new checks, there will be always ways to bypass them as it’s client-side validation.

2. Tampering Detection Bypass Using Frida

He was able to bypass tampering detection using Frida.

Screenshot 2020-05-07 at 1.48.51 PM.png

Conclusion: Again this is a client-side validation and in most of the apps, one can bypass it easily. No app is bulletproof for client-side attacks! There are always ways to bypass them, it’s just matter of some time.

3.  Debug Flag Detection Bypass Using Frida

He was able to bypass the debug flag detection using Frida.

Screenshot 2020-05-07 at 1.50.58 PM.png

Conclusion: So? Again here is a client-side validation bypass! Where is the security breach?

4. App Version Check Bypass Using Frida

He showed bypassing app version check using Frida

Screenshot 2020-05-07 at 1.52.44 PM.png

Conclusion: At this point, I was a little confused! Is it Frida tutorials or some security breach?

5. User Password

He showed the app is asking to use 4 digit password.

Screenshot 2020-05-07 at 1.54.11 PM.png

Conclusion: Ok! This could be one of the missing security best practices for password policy? but the impact? Definitely not a security breach!

6. Local Database Password

He showed how it’s possible to crack the local database password.

Screenshot 2020-05-07 at 1.56.12 PM.png

Conclusion:

Screenshot 2020-05-07 at 1.20.11 PM.png

So he was able to get user preferences by decrypting the local database. I thought he is initially showing some low hanging fruits and then something like zero-day / security breach is coming up! I was still excited!

7. Debug Features Enabling Using Frida

He again showed Frida to enable debug features in-app!

Screenshot 2020-05-07 at 2.01.43 PM.png

Conclusion: Dude, I know frida is awesome but I didn’t fly to Vegas to see these Frida tutorials. I was still looking forward to the security breach!

8. MITM (Lack of SSL Cert Validation)

He was able to intercept app traffic as CVE-2019-14516.

Screenshot 2020-05-07 at 2.03.59 PM.png

Conclusion: The CVSS score is around 5.8 (Medium) severity.

Let’s list out all the vulnerabilities mentioned in the so-called mAadhaar security breach:

  1. Root Detection Bypass (using Frida) – Low Severity
  2. Tampering Detection Bypass (using Frida) – Low Severity
  3. Debug Flag Detection (using Frida) – Low Severity
  4. App Version Check Bypass (using Frida) – Low Severity
  5. User Password (Password best practices) – Low Severity
  6. Local Database Password (user preferences) – Low Severity
  7. Debug Features Enabling (using Frida) – Low Severity
  8. MITM (Lack of SSL Cert Validation) – Medium Severity / difficult to exploit

So now talk was over! At this moment, I didn’t understand if I should laugh/shout/scream? Because all of the above vulnerabilities are low/difficult to exploit.

Final Conclusion: This is not any kind of security breach or Zero-day or stealing of biometric data from mAadhaar! These are just low hanging fruits can be observed in most of modern mobile apps!

Bug Bounty: If you don’t know what is bug bounty, it’s a process in which people report security issues in apps, and companies pay them money (bounty) based on criticality/impact of the vulnerability.

Do you want to know how much a company would pay even if we report all of the above issues? It would be USD 0 or max USD 100 (for encouragement). That’s all!

Do you want to verify yourself? Check out this Fitbit’s security program (https://bugcrowd.com/fitbit)

Screenshot 2020-05-07 at 3.02.00 PM.png

There are similar rules for almost all mobile apps while reporting security issues!

Meanwhile, I leave up to you on how serious these security issues are or it’s just a publicity stunt?

I can see new propaganda against the security of the Arogya Setu app by the same self-claimed researcher. I’ll soon write an analysis of it.

On the other note, yes I agree, the Government should have proper channels to receive security issues found on the governement apps!

Note: Defcon AppSec Village is one of the best security events I ever attended, however, the self-claimed researcher was able to get spots due to all media highlights!

References:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s