The application eco-system built around Aadhaar is vulnerable to malware as conflicting requirements between utility, security, delegation and profit making, have created the perfect environment in the unique identification (UID) system, says a report from Medium.com.
In the report , Anand Venkatanarayanan, says, “Securing the Central Identities Data Repository (CIDR) is a relatively easy problem for Unique Identification Authority of India (UIDAI), but ensuring that every single android app is not vulnerable to malware is a very hard problem. This is because, an authentication attempt that only uses OTP can be defeated easily by automation. In addition, the capability to reverse engineer applications in the mobile application ecosystem would defeat the ‘Security by Obscurity’ paradigm that UIDAI is comfortable with.”
Last week, Google Play store pulled down few e-Know-Your-Customer (eKYC) apps. “While the pulling down of these apps were not noticed, a quick analysis via the disassembler as described above did show that all of them are vulnerable to application programming interface (API) key harvesting techniques,” Anand Venkatanarayanan added.
API key is a code passed in by computer programs calling an API to identify the calling program, its developer, or its user to the website or mobile application.
The safest car is the one that is parked in a garage, as it can never be involved in an accident, but it also has zero utility, the report says, adding, the same is true for ‘Aadhaar data’, the term which means a combination of Aadhaar number, demographic information, phone number, email address and the biometric identifiers. If all this is securely hosted and never leaves the central repository (CIDR), then its utility is very limited.
UIDAI allows two uses to increase utility of its Aadhaar system. The yes/no authentication allows residents to be verified with their Aadhaar number and biometrics or one time passcode (OTP) delivered to their registered mobile number. The second KYC authentication returns demographic data to a service provider when they submit their Aadhaar number and biometrics or OTP.
UIDAI regulates entities that allow such use. These entities are referred as authentication user agency (AUA) and KYC user agency (KUA) and need to follow security norms as well as financial eligibility criteria.
“Since License keys of AUA or KUA and ASAs can be suspended if financial norms are not adhered to private entities cover their costs and run a viable business through a combination of delegation and transaction costing. AUAs are allowed to enter into contracts with other entities referred as sub-AUA through a memorandum of understanding (MoU). For each sub-AUA application, NIC assigns a unique code to be included in application’s request XML. On the other hand, KUAs are prohibited from sub-licensing or creating sub-KUA.”
“Why would UIDAI prohibit sub-KUA but allow sub-AUA? It is to minimize abuse and to ensure traceability. Since eKYC is mandatory for SIM cards and is accepted as a valid form of providing identity and address proof for opening bank accounts, mutual fund accounts, allowing sub KUAs, enables abuse via delegation. Delegation creates multiple layers of obscurity and hence it becomes difficult to investigate the true source of abuse, in the case of a fraud report. Hence banning it is the only possible and reasonable solution,” the report says.
Anand Venkaranarayanan then explains in details how the reverse process of getting source code can be used to extract the secret API key from the sample application with just a decompiler within five minutes.
He says, it is now trivial to design a malware which can use the above vulnerability and perform eKYC through an OTP in the background without either the user or the UIDAI being aware of it. Anand Venkaranarayanan reproted the vulnerability to both Chief Executive of UIDAI and Quagga over email on 15 August 2017. While Quagga responded to his email, the UIDAI CEO has neither responded nor acknowledged the mail.
“Quagga responded to the all the emailed questions (except one) and it was clear from the responses they are fully in compliance with the Aadhaar regulations. It is unclear, if architecture issues of using OTP as a first factor authentication should be reported to CERT.IN or NCI-IPC and hence were not reported,” Anand Venkaranarayanan says.