Is Aadhaar prone to hacking? Does it really pose a privacy threat? These questions are once again on top of news channels with the account details of TRAI chief RS Sharma going public after he posted his Aadhaar number and challenged hackers to access anything out of it. Android developer/ researcher, who goes by the handle Elliot Alderson on Twitter, had once pointed out the weakness of the mAadhaar app and Aadhaar data. LatestLY had spoken to him earlier this year as he made news quite literally by exposing weaknesses in a string of technology platforms in India for over a month now.
He was first spoken of when he exposed the weakness in Telangana government’s benefit disbursement portal TSPost. This database contained user information, including Aadhaar numbers, of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions. He then moved on to publicly pulling up Paytm for asking root access of their users and he followed it up with ISRO, India Post, BSNL, Paytm, Apollo Hospitals, among others.
But his biggest work arguably is his exposing of the weakness in Aadhaar app – mAadhaar. Alderson highlighted issues with the mAadhaar application – how third party websites are using Aadhaar data as well as how its developers were saving users’ biometric data in a local database whose password could easily be obtained.
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️https://t.co/acjp6tUjqs
— Elliot Alderson (@fs0c131y) January 10, 2018
Alderson cannot be neatly put into the box of an ethical hacker because he is trying to work with the creators’ of the platforms to fix weaknesses. He keeps an open line of conversation with the developers while breaking down their flaws.
Alderson has not stopped with mAadhaar. In the last 48 hours he has exposed the Narendra Modi app for transferring the data of its application’s users to a third-party American company without their consent. He revealed that personal data including emails, photos, genders and names of the users of NaMo’s mobile app were being sent to a third party domain without their consent.
Alderson wrote, “When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called http://in.wzrkt.com (sic).”
He then revealed that the domain, where the data of PM Modi’s app users were being sent, was a phishing link, owned by a company G-Data. Alderson wrote, “This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden.”Alderson said that the the domain in question belonged to Clever Trap. He wrote, “After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers.”
Today, Alderson has moved on to the Indian National Congress party's app. In a series of messages posted on Twitter today morning, Alderson explained the Indian National Congress's Android app insecurely transmits user information to the party's website. "When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to http://membership.inc.in," Alderson posted on Twitter.
Come on! HTTP?! I'm sure you are able to rectify this and use HTTPS instead. pic.twitter.com/elRQVlU5bT
— Elliot Alderson (@fs0c131y) March 26, 2018
Alderson also went on to claim that the Internet Protocol (IP) address of 'membership.inc.in', the website to which the Congress's Android app allegedly connects to, was located in Singapore. "This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea," Alderson said on Twitter.
The IP address of https://t.co/t1pidQUmtq is 52.77.237.47. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
So, who is Elliot Alderson? What are his motivations? Why is he working on exposing the weakness of Indian technology platforms?
“Baptiste R” or “Robert Baptiste”, as reported in an interview with Androidpit acknowledged that he is a 28-year-old Frenchman . In a subsequent interview with Scroll.in, Alderson explained that his formal educational qualification is that of a network and telecommunications engineer, and professionally, he is a freelance Android developer. “I develop Android apps and customise the Android Open Source Project [AOSP] for phone makers,” Alderson said. “All my career has been made in the Android sector.”
The name “Elliot Alderson”, is inspired by the vigilante hacker character of the same name from the television series Mr Robot. It was chosen by him because he thought that it would be symbolic since a lot of people know the series and the Alderson character it revolves around who takes on the global elite using his superior hacking skills.
Alderson prefers his work speak for himself but he did take the time to respond to the LatestLY’s questions.
Q: Can you give me a brief profile of yourself: Where are you based?
A: France
Q: What is your professional designation?
A: I’m a freelance Android developer.
Q: On a tweet you mentioned that Eliot Alderson is not your name and hence why are you working under a pseudonym?
A: Eliot Alderson is the name of the hero in the Mr Robot TV how. Why? Because it’s fun and a lot of person know this character.
Q: Are you working for an organization or are you self-employed?
A: I’m self employed.
Q: Can you break down the work you are doing into a layman’s terms?
A: I’m searching vulnerabilities in different system.
Q: Why and how did you come across the weakness in Telangana’s PDS system?
A: I have a lot of awesome followers on Twitter who give me tips all the time.
Q: Why have you moved onto other Indian government public departments?
A: Why not?
Q: Are you looking at just websites? Does this give you access to more data – citizen’s address, contact details or financial information – bank accounts?
A: If you check my websites you will see that I analyzed also Android apps. Yes I find a lot of things :)
Q: How did you come across paytm as it is a wallet used in India?
A: I have a lot of awesome followers on Twitter who give me tips all the time.
Q: What is root access? And Why do you say that Paytm should not request permission from their user?
A: Root rights is the holy grail in Android app. If an app requests the rights, it can do everything (steal private conversations,…). This is not the way to check if a device is rooted.
Q: When you contacted them, what was their initial response?
A: It was a nice chat. They understood the issue and fixed it
Q: You said that you would show what a person like you can do with root access? What does that mean?
A: Sounds pretty clear no?
Q: Is what Paytm was asking for legal for an android application provider? Is it a grey area or should there be a law governing this?
A: Yes, yes it’s legal
Q: How would you rate this behaviour of Paytm – a mistake, an oversight, sneaky trick to track user behaviour?
A: I think it’s a mistake from their side.
Q: Will you be financially compensated for helping them out with this issue?
A: Nope
Alderson's exposes have not spared anyone -- tech companies, government agencies or political parties which proves that he is what he claims to be -- an android developer simply working to reveal system weakness for the benefit of the common man/user. Which makes him even more dangerous for those who stand to be exposed by him.
The above interview has been edited for clarity and length purposes.
(The above story first appeared on LatestLY on Jul 31, 2018 09:47 AM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).