Aarogya Setu App Privacy Issue: Government says No Data or Security Breach; Know Everything Here
Aarogya Setu Privacy or Security Issue: Ethical hacker named Elliot Alderson tweeted that Aarogya Setu app puts privacy of 90 million Indians at stake. However, hacker did not disclose the flaws.
Aarogya Setu App has been red-flagged by a Paris-based ethical hacker who claims that this COVID-19 contact tracing app has a security issue. The hacker named Elliot Alderson tweeted about the same on May 5, 2020 stating that the app puts privacy of 90 million Indians at stake. However, hacker did not disclose the flaw or vulnerability.
In a reply to hacker's tweet, the makers of Aarogya Setu App issued a statement clarifying that no data or security breach has been identified in the app. The statement details about the user's data extracted by the app on different occasions such as at the time of registration, self-assessment and others. Have a look at the Hacker's tweet and the Aarogya Setu's statement below:
Ethical Hacker's tweet regarding flaws in Aarogya Setu app:
Aarogya Setu App Maker's reply:
Aarogya Setu's Clarification against Issues raised by hacker
Issue 1: App fetches location of users on a few occasions
-During user registration
-During voluntarily submission of contact tracing data by users
-When app fetches user's contact tracing data after they turn COVID-19 positive
Issue 2: Users get COVID-19 statistics displayed on app's home screen when they change the radius or latitude-longitude through a script
Aarogya Setu's Reply: The radius parameters of the app are fixed and takes only one value among the five - 500 metres, 1 km, 2 km, 5 km and 10 km. These values are posted with HTTP headers and any other value apart from these fives gets defaulted to 1 km.
On the other hand, users can change the latitude or longitude to get information of multiple locations. However, the API call is behind Web Application Firewall, making bulk calls impossible. Accessing data of multiple locations through this is similar to asking people of their location‘s COVID-19 stats. This information is already public and does not compromise on sensitive or personal data.
Ethical Hacker warns Aarogya Setu App Makers
The statement mentions that as per the ethical hacker, no personal information of users has been proven to be at risk. The makers assure the users that there is no data or security breach identified in the functioning of app. To this, the ethical hacker replies in a tweet warning the government that if data breaches are not fixed, he would disclose the issues publically. Have a look:
Aarogya Setu app was launched in March 2020 soon after the Lockdown was announced in India amid Coronavirus outbreak. The app, developed by National Informatics Centre (NIC) under MeiTY, helps the government in contact tracing and identify the location of people turning COVID-19 positive. Within a month of its launch, the app has about 90 million users.