Security Flaws in the “Aarogya Setu” App Put 90 Million Indians at Risk

Written by Bill Toulas
Last updated September 25, 2021

Researcher Robert Baptiste, aka Elliot Alderson, has found some serious security flaws in “Aarogya Setu”, India’s official COVID-19 contact tracing app. The hacker posted a message on Twitter, warning about the risk that put the privacy of 90 million Indians at stake. This was enough to shake the Emergency Response Team and the National Informatics Centre, who reached out to the researcher in just 49 minutes after the below tweet.

Elliot Alderson decided to look into the inner workings of the particular app after Rahul Gandhi, the President of the Indian National Congress, openly called the app a “sophisticated surveillance system made by a private entity.” The same researcher revealed the leaking of 6.7 million Aadhaar numbers back in February 2019, so he has a history of investigating security issues that relate to India.

For now, the researcher didn’t reveal technical details about what is the Aarogya Setu’s problem exactly, but it looks like it is mainly the fact that people can get COVID-19 infection stats from other areas by using a special script. The team behind the app responded by saying that this is actually not possible because their API sits behind a Web Application Firewall, and thus all calls are filtered. Even if it was possible, they claim that this data is already public, and includes no personal or sensitive data that can be used to identify people.

Moreover, they point out that when the users register, or self-assess their health, or submit their contact tracing data, the information they collect is not exposed to risks - and that these are the only circumstances when the app fetches user location. Finally, they assure the users that there has been no data or security breach either, so all in all, nothing is wrong with Aarogya Setu.


Whether this is a satisfactory response or Elliot Alderson will return for a “second round” remains to be seen now. Aarogya Setu is a big thing in India because its installation and use came as mandatory for the people who live in COVID-19 containment zones. Many companies and delivery services like Zomato and Swiggy adopted the app and forced their employees to use it. In just a month, the app has amassed 90 million users, and many opposed the way it was enforced on the people. No matter the pleads and the privacy warnings, Aarogya Setu remains an active project, and those who don’t abide by the instruction to use it may incur criminal prosecution.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: