The Indian government has released the source code for its contact tracing app Aarogya Setu’s iOS version, after two months of releasing the code for android. The open-source code is available on the government’s own open-source platform OpenForge.
However, the government is yet to release the server-side code of the app which has been constantly requested by developers and data privacy activists. Server-side code will help them understand how the stored data is processed at the backend. Since its launch, Aarogya Setu has been under heavy scrutiny from developers and security experts for multitude of reasons.
According to TOI, a security audit firm, Cyber Firm has said that the user data on Aarogya setu is “running on a significant risk of theft and abuse”. In a blog post (which has now been taken down), Yash Kadakia, founder of ShadowMap and Security Brigade CTO reportedly said that “the company managed to get access into Aarogya Setu and discovered the source code for the entire platform, including backend infrastructure.”
In response to the blog, the government reportedly sent an official statement saying that the Security Brigade has misused its engagement with the Aarogya Setu code review. “Publishing an article on the issues that the firm got to know as part of the code review violates basic principles of ethics … it is a complete breach of trust,” the statement added.
MIT Technology Review, a magazine owned by the prestigious Massachusetts Institute of Technology, has also downgraded Aarogya Setu app on the parameters of “data minimisation” which means the app is collecting more data than needed for the app to work.
The report ranked 25 individual, significant automated contact tracing efforts globally on five factors — voluntary or mandatory usage, usage for public health purposes only or law enforcement, provision for deleting the data within a reasonable amount of time, data collection and transparency. The current ranking of Aarogya Setu on these factors is 1 out of 5, according to MIT Technology Review.
In May, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, found a flaw in the Aarogya Setu. According to Baptiste, anyone with the right technical know-how can find out the Covid-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu application.
Using the flaw, Alderson was able to find that five people each in the Prime Minister’s Office (PMO) and defence ministry who had reported that they were feeling unwell today (May 6). In response, the government has denied any security issues in the app, which was developed in a public-private partnership.