French cyber security expert-Robert Baptiste might have forced the Indian government into open sourcing Aarogya Setu, after he uncovered flaws in the app, claiming that the privacy of 90 million Indians might be in jeopardy.
Contact tracing is the newest tool governments across the world have taken up to fight COVID 19. However, privacy concerns surrounding the technology have become very common, with some questioning if the power they are entrusting the government with is “too much”. India’s attempt at the same, Aarogya Setu, has been deemed as “unhackable” by the government, and totally safe. However, when Rahul Gandhi tweeted about the dangers of the app, Robert Baptiste, who goes by the name “Elliot Alderson” on Twitter, just couldn’t contain himself.
He found a security issue and decided to report it to Aarogya Setu app. He tweeted, “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?”
The app offered an explanation:
Robert ridiculed the explanation, and asked for the app to be open sourced, promising a detailed article about the flaws of the app.
The article, titled “Aarogya Setu: The story of a failure” explained how with only 1 click, “an attacker can open any app internal file, included the local database used by the app called fight-covid-db.” Later, on 4th May, he found that the previous bug was fixed, but instead he found a more sinister fault. Robert discovered that during a function when a person can find how many people in his/her area did a self assessment, the app was sending the location, and the radius of the search area to its server. Using this, he found that an attacker can know “who is infected anywhere in India, in the area of his choice.”
Later on, he tweeted a picture with a list of the patients with confirmed Covid 19 infections. He said that this picture was doing the rounds on WhatsApp, and that “Privacy in India is a joke.”
Seeing the backlash from people, the government decided to pay heed to Robert’s discoveries, and is now considering open sourcing the app.
Financial Express reports: “We developed the app in two weeks. During the development, we got it audited by IIT-Madras, and by one of the largest tech audit firms. We circulated it among security researchers widely… we religiously go through security testing. We are very paranoid about security and potential vulnerabilities. We are committed to open sourcing. We are not that far from open sourcing the app,” said Arnab Kumar, programme director, Niti Aayog.
Kumar said that the database for the app comes from Indian Council of Medical Research. The collected information is “pushed” into the user’s phone and bluetooth contact tracing judges if said person is at risk of being exposed to the virus.
“Communication between the where the data is stored and the device it is stored from is “anonymised”, claims Kumar. He also said that getting the data, like Robert demonstrated, “is no different than asking several people of their locations Covid-19 statistics.”
“All this information is already public for all locations and hence does not compromise on any personal sensitive data,” he added.
Robert also mentioned the API being developed by Google and Apple, and applauded the companies for their decision to not access the location of the user through the API, at any given time.