Security Issue in Aarogya Setu App


Aarogya Setu is a contact-tracing app developed by the India’s National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology.

French hacker Robert Baptiste, who goes by Elliot Alderson on Twitter, has claimed that there are security issues with the government’s contact tracing app, Aarogya Setu. “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” the hacker wrote on Twitter tagging the official account of the app.

Baptiste confirmed that both the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) got in touch with him 49 minutes after his initial tweet. Sources at Niti Aayog said that they will be putting up an official statement about Baptiste’s concerns soon.

The hacker has been in the news earlier for exposing flaws in the Indian government’s mAdhaar app earlier. He found that developers of the app were saving users’ biometric information in a database that could be easily breached. He was also amongst many hackers who breached Telecom Regulatory Authority of India (TRAI) chief R.S. Sharma’s personal information after Sharma put his Aadhaar number on Twitter asking people to show “one concrete example” where harm could be done to him.

The Twitter handle of Aarogya Setu said they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.

The Aarogya Setu team said the hacker had pointed out two issues – “the app fetches user location on a few occasions”, and a “user can get the Covid-19 stats displayed on home screen by changing the radius and latitude-longitude using a script.”

However, said the aarogya setu team, the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymised manner.”

Regarding the second issue, the setu team said the radius parameters on the app  “are fixed and can only take one of the five values: 500m, 1km, 2km, 5 km, and 10 km.” It added that the information does not “compromise on any personal or sensitive data”.

Aarogya Setu was launched by the Indian government on April 2 as the official app to help with contact tracing efforts. The app has been promoted by Prime Minister Narendra Modi himself and has been downloaded over 9 crore times already. It also holds the record for the fastest any app has reached a 50 million download base, which it reached only 13 days after the launch.

The government has recently made the app mandatory for individuals in containment zones for covid-19, and for all government officials. Many companies have also made the app mandatory for their employees, including delivery services Zomato and Swiggy, who ask their rides to download the app.

Leave a Reply

%d bloggers like this: