Security Flaws in the “Aarogya Setu” App Put 90 Million Indians at Risk
- A French researcher has found a couple of privacy and security flaws in the Aarogya Setu app.
- The app’s team responded by saying these are features and not bugs, so nothing is wrong or at risk.
- Using the app is enforced in India, despite the massive wave if remonstrance coming from people, non-profits, and politicians.
Researcher Robert Baptiste, aka Elliot Alderson, has found some serious security flaws in “Aarogya Setu”, India’s official COVID-19 contact tracing app. The hacker posted a message on Twitter, warning about the risk that put the privacy of 90 million Indians at stake. This was enough to shake the Emergency Response Team and the National Informatics Centre, who reached out to the researcher in just 49 minutes after the below tweet.
Hi @SetuAarogya,
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
Regards,
PS: @RahulGandhi was right
— Baptiste Robert (@fs0c131y) May 5, 2020
Elliot Alderson decided to look into the inner workings of the particular app after Rahul Gandhi, the President of the Indian National Congress, openly called the app a “sophisticated surveillance system made by a private entity.” The same researcher revealed the leaking of 6.7 million Aadhaar numbers back in February 2019, so he has a history of investigating security issues that relate to India.
The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight - raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.
— Rahul Gandhi (@RahulGandhi) May 2, 2020
For now, the researcher didn’t reveal technical details about what is the Aarogya Setu’s problem exactly, but it looks like it is mainly the fact that people can get COVID-19 infection stats from other areas by using a special script. The team behind the app responded by saying that this is actually not possible because their API sits behind a Web Application Firewall, and thus all calls are filtered. Even if it was possible, they claim that this data is already public, and includes no personal or sensitive data that can be used to identify people.
Moreover, they point out that when the users register, or self-assess their health, or submit their contact tracing data, the information they collect is not exposed to risks - and that these are the only circumstances when the app fetches user location. Finally, they assure the users that there has been no data or security breach either, so all in all, nothing is wrong with Aarogya Setu.
Whether this is a satisfactory response or Elliot Alderson will return for a “second round” remains to be seen now. Aarogya Setu is a big thing in India because its installation and use came as mandatory for the people who live in COVID-19 containment zones. Many companies and delivery services like Zomato and Swiggy adopted the app and forced their employees to use it. In just a month, the app has amassed 90 million users, and many opposed the way it was enforced on the people. No matter the pleads and the privacy warnings, Aarogya Setu remains an active project, and those who don’t abide by the instruction to use it may incur criminal prosecution.