India puts Covid-19 tracing Aarogya Setu code on Github - offers bugs bounty

(Image credit: Future)

Starting today, anyone seeking to study the code base of Aarogya Setu, the app that was launched by the government to trace Covid-19 carriers in India, can do so on the open-source code repository Github. The Indian government has put the code for the Android version of the app on Github. Additionally, the federal administration has also announced a bugs bounty programme on it.

Developers or testers discovering bugs or loopholes in the app, which has so far been downloaded by more than 100 million users in India, would receive a reward of Rs.100,000 (approximately $1,320). 

See more

Amitabh Kant, chief executive of NITI Aayog, a government-led policy think tank that collaborated with the federal ministries to build the app, said all subsequent updates on it would now be made via open-source through the Github repository. Also the code base for iOS and KaiOS (for JioPhone) would be made open source soon. 

Ever since the government launched the Aarogya Setu app on April 14 as a tool to fight the Covid-19 pandemic, it has faced questions around security and privacy from ethical hackers, some even claiming to have broken into the database. 

The latest effort to provide users with the source code via Github suggests that the federal government is taking criticism head-on and doing whatever it takes to ensure that the app finds its way into every smartphone in India. Of course, just over a third of India's population of 1.3 billion people own one, as per government data. 

It's never been done before

Kant claimed that no other government product anywhere in the world had been open sourced at this scale. "Today, its scale and size is 115 million, cuts across phones, IVRS and is the only product available in 12 languages. Put all the Covid-19 tracking apps of the world together and Aarogya Setu is bigger than all of them," he said. 

This would also put to rest the continued demand from privacy activists who wanted the open-sourcing of the app's code ever since it's release a month-and-half ago.  

Advocates of the app took to the media to suggest that this latest move will allow businesses to build applications on top of the Aarogya Setu and unleash many more innovations in the post-Covid-19 world. Ramesh Raskar, MIT Media Lab professor wrote on Medium that the open-source code will enhance trust and keep detractors from making false claims about the data privacy and security. 

See more

Sharing source code is the first step

However, security researchers suggest that merely presenting the source code on Github type hosting services isn't enough. In the past, such efforts have been stymied by a lack of transparency whereby open-source code has been purposefully obfuscated in order to make its understanding tough for developers. 

Some even argued that though the release suggests the right intent, to see whether it provides concrete insights into data security and processing and the backend tasks are being handled will take some time. The code will tell us what data is being accessed at what time, but it may not indicate how it is being used behind the scenes. For this, one would require to see how the protocols are being written on data storage and sharing. 

The government has been pushing for more downloads because that's the only way the contact tracing can actually be effective. Now, the app merely gets a bot to ask random questions and suggests if users are safe or require additional precautions based on cases detected in their vicinity. 

Via: The Mint

Raj Narayan

A media veteran who turned a gadget lover fairly recently. An early adopter of Apple products, Raj has an insatiable curiosity for facts and figures which he puts to use in research. He engages in active sport and retreats to his farm during his spare time.