As said yesterday, they used sqlcipher which is a good thinghttps://twitter.com/fs0c131y/status/1089618321765531648 …
Show this thread
So @uidai developers used the IMEI as a password for the local database of the mAadhaar #android app but why it is a problem? What are the dangers? Small thread 
https://twitter.com/fs0c131y/status/1089621463072755712 …
-
-
-
SQLCipher will encrypt the database. To decrypt it, you need to define a "password" and this is where the problems come
Show this thread -
Developers: When you are using a lib, a tool or a SDK RTFM! Everything is written, you just have to read it.pic.twitter.com/ssdOLu1mVL
Show this thread -
The guys at
@TeamZetetic, the authors of sqlcipher, published "SQLCipher Database Key Material and Selection"https://discuss.zetetic.net/t/sqlcipher-database-key-material-and-selection/25 …Show this thread -
It's crystal clear, the good practise is to take a passphrase from the user and mix it with a device id for examplepic.twitter.com/cL81n96ddl
Show this thread -
This is more than clear: "that a significant part of the key material is a secret coming directly from the user when the application runs"pic.twitter.com/wELLgy7rCk
Show this thread -
"Note that hardcoding a key in application code is not suitable for any secure implementation."pic.twitter.com/MctaOSl82q
Show this thread -
-
As said in the text, let say your device has been compromised and I managed to retrieved the local database of the mAadhaar app. The IMEI is a 15 decimal digits. Brute forcing the password of the db will take only few seconds
Show this thread -
Interesting answer by a
@TeamZetetic team member on the topichttps://discuss.zetetic.net/t/sqlcipher-how-to-protect-the-key/522/3 …Show this thread -
Nice article on how to hide the key of your database http://www.informit.com/articles/article.aspx?p=2268753&seqNum=4 …
Show this thread -
ffs if you want to improve your security and be a better developer, there is only one way: understand what you are using!pic.twitter.com/7yN84orPB6
Show this thread End of conversation
New conversation -
-
-
@UIDAI do you plan to iterate on security feedbacks ? -
They will probably do a PR
End of conversation
New conversation -
-
-
This is so very horrible level of security. Even a novice like me can understand the total mockery created by @UIDAI God help this country! Bunch of amateurs are running our most precious infrastructure !!@NandanNilekani how embarrassing !Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
And now the ruling party aka bhakths gonna give you an Award "AntiIndian"
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
- Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.