Updated with the latest comments from French security researcher Elliot Anderson
In these times of lockdown and uncertainty all around us, we now have to worry about our personal data being up for grabs or misused by an alleged breach in the Indian government’s contact tracing Aarogya Setu app.
Elliot Anderson, a French security researcher and ethical hacker, on Tuesday (May 6), threw the gauntlet at the Indian government and claimed that the Aarogya Setu is flawed and data of 90 million Indians could be vulnerable.
As per the ethical hacker, the two major issues that require a fix include the fact that ‘the app fetches user location on a few occasions”, and a ‘user can get the Covid-19 stats displayed on home screen by changing the radius and latitude-longitude using a script’.
“Hi @SetuAarogya, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private? Regards. PS: Rahul Gandhi was right,” he said.
Hi @SetuAarogya,A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?Regards,PS: @RahulGandhi was rightMay 5, 2020
While very confident about his claims of data breach, Anderson has not been forthcoming with any technical details of the same and said that he is awaiting the Indian government's response in fixing the issue.
The National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, which developed the app, has denied these claims and issued the following reply via their Twitter handle:
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82HomMay 5, 2020
The Aarogya Setu team clarified that the fetching of a user’s location is ‘by design’ and it is ‘stored on the server in a secure, encrypted and anonymised manner’.
Regarding the second issue, the team said the radius parameters on the app ‘are fixed and can only take one of the five values: 500m, 1km, 2km, 5 km, and 10 km’. It added that the information does not ‘compromise on any personal or sensitive data’.
Anderson responded with a nonchalant tweet, saying: “Basically, you said “nothing to see here” We will see. I will come back to you tomorrow.”
However, he did come back to report that when he had first analysed the Aarogya Setu app, he was able to open any internal file with a single command line, something that cannot be done with the latest version. In other words, he is now claiming that the issue has been fixed.
The first time I analysed @SetuAarogya it was 1 month ago. With 1 command line it was possible to open any internal file of the app. It's no more possible on the latest version. They fixed this issue silently. https://t.co/MVKc4wOSA9May 6, 2020
Interestingly, this statement from the app team comes close on the heels of Congress leader Rahul Gandhi’s recent remark that the contact tracing app is a ‘sophisticated surveillance system outsourced to a private operator’.
Recently there was also an uproar about the Centre deploying wearable trackers and Arogya Setu to monitor Covid-19 patients.