Ethical hacker says 90 million Indians privacy at stake in Aarogya Setu app, Government refutes claim

Aarogya Setu app
Share this News:

New Delhi, May 6, 2020: Amid concerns over data safety in the Aarogya Setu app, the government released a statement today. The Aarogya Setu team has said that there is no danger of any user’s personal information being leaked. The government is constantly upgrading and testing the system.


The government had to give this explanation because the French ethical hacker Elliott Alderson, who pointed out the flaws in the Aadhaar system, has also challenged the government on Tuesday for the Aarogya Setu app.   Aarogya Setu is a COVID-19 tracking mobile application developed by the National Informatics Centre that comes under the Ministry of Electronics and Information Technology, Government of India. The stated purpose of this app is to spread awareness of COVID-19 and to connect essential COVID-19 – related health services to the people of India.


What did the ethical hacker say? He tweeted that to Aarogya Setu team that there is an issue of security in the app. The privacy of 90 million Indians is at stake. Can you talk to me separately? The hacker also said that Rahul Gandhi was right. This is because, a few days ago, Congress leader Rahul Gandhi had raised the question of data security in the Aarogya Setu app.


Government issues clarification : “Earlier today, we were alerted by an ethical hacker of a potential security issue of Aarogya Setu. We discussed with the hacker and were made aware of the following:  The App fetches user location on a few occasions. Response: This is by design and is detailed in the privacy policy. 


Reproducing the same for everyone’s benefit : We fetch a user’s location and store on the server in a secure, encrypted, anonymised manner • At the time of registration • At the time of self-assessment • When a user submits their contact tracing data voluntary through the App or when we fetch the contact tracing data of a user after they have turned COVID-19 positive 


User can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script Response: The radius parameters are fixed and can only take one of the five values: 500 metres, 1 km, 2 km, 5 km and 10 km. These values are standard parameters, posted with HTTP headers. Any other value as part of the “distance” HTTP header gets defaulted to 1 km. The user can change the latitude / longitude to get the data for multiple locations. 


The API call though is behind a Web Application Firewall, and hence bulk cabs are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data. 


No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified. 


We thank this ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately at [email protected] Your continued support will help us keep the App even more secure.”


Ethical hackers not satisfied with the government’s responseHe said in response to the Arogya Setu statement that I will talk to you again tomorrow. But, he asked the government two hours later about the location of the app, do you know what is triangulation?