The Aadhaar card itself is not a secure document (being printed on paper) and according to the agency should not be treated as an identity card though it is often treated as such. However, with currently no practical way to validate the card (e.g. by police at airport entry locations) it is of questionable utility as an identity card.
There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. The app and validation software is insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.
Certain mobile apps claim to verify an Aadhaar card using a QR code scanner. However, the QR code is not a secure representation of an Aadhaar card either and can be copied and edited.
The only way to validate an Aadhaar card is to perform an online validation, which will confirm that the card number is valid, confirm the postal code and gender of the holder. This means that it is possible to create a false Aadhaar card using the number of a genuine holder from the same postal code with the same gender, with the card subject to a number of cases of counterfeiting.