India Looks To Open-Source Aarogya Setu App As Security Concerns Spike

The government is looking to make Aarogya Setu application open-source as unease over data surveillance grows over microblogging platform Twitter.

Many users on Twitter have demanded the government to make Aarogya Setu open-source so that they can get to know the purpose of the application while ethical hackers can help the government to make it more secure.

In response, Niti Aayog’s programme director Arnab Kumar has now said that the apex body is committed to open-sourcing Aarogya Setu. Kumar, who was involved in the development of the application, also said that the app was developed in two weeks and was audited by IIT-Madras and one of the largest tech audit firms.

He also revealed that the government is not far away from making Aarogya Setu open-source. “However, a final decision is yet to be taken,” Kumar was quoted as saying by Financial Express.

Developed by the National Informatics Centre with the help of a few startups like 1mg and MakeMyTrip, Aarogya Setu was launched by the government to trace the spread of Covid-19. However, the application has raised serious privacy issues, not only from citizens but also from ethical hackers.

One such hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, on two occasions found out two different securities issues on Aarogya Setu. He is also supporting the ‘#opensourceaarogyasetu’ campaign on Twitter.

In a tweet, Baptiste said that the UK government has already made its tracing application open-source and now it’s the time for the Indian government to make Aarogya Setu open-source.

Earlier, two days after the app was launched, the ethical hacker had highlighted that it was possible to open any internal file of the app with one command. He claimed that the government had “silently” fixed the issue later.

Meanwhile, Baptiste, earlier this week, raised another security flaw. Baptiste said that he was able to find out the Covid-19 status of a given area by exploiting a flaw which allows users to set a location within the application.

In response to this, Aarogya Setu team said, “Getting the data from multiple locations like Baptiste demonstrated is no different than asking several people of their locations Covid-19 statistics. All this information is already public for all locations and hence does not compromise on any personal sensitive data.”

In a blog titled ‘Aarogya Setu: The story of a failure’, he said that inside the Indian Parliament, an individual had updated their status to infected while two people said they were feeling unwell. He also found that two people had selected the unwell option inside the Indian Army headquarters in New Delhi.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.