Following a tweet by ethical hacker and French cybersecurity expert under the alias “Elliot Alderson” claiming that there is a “security issue” within the Aarogya Setu app developed by the National Informatics Centre, a part of the Ministry of Electronics and Information Technology, the developers refuted the allegations over security or privacy concerns of 9 crore people who are using it amid the coronavirus pandemic in the country.
In its response posted on Wednesday, the Aarogya Setu team said, “no personal information of any users has been proven to be at risk,” though acknowledged ‘some issues’ with the app. The hacker alleged that this issue puts the data of 90 million users at risk.
The hacker, who had earlier exposed flaws in Aadhar, claimed this time that the Aarogya Setu app fetches location data and on a few occasions. The Aarogya Setu team clarified that the app stores the location data on secure servers which are encrypted. The team also denied the hacker’s claim that the “users can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script.”
The team said:“The radius parameters are fixed and can only take one of the few values: 500 meters, 1km, 2km, 5km, and 10km. These values are standard parameters posted with HTTP headers.”
Earlier Elliot had tweeted saying, “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” He tagged official handle of Arogya Setu and Congress leader Rahul Gandhi, who had last week raised data security concerns on the app.
Rahul Gandhi alleged that the app is a sophisticated surveillance system and it was “outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns.”
Later, Elliot said that he was contacted by the Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) and he urged them to fix the flaws within a “reasonable deadline”. After the reply from Arogya Setu team, he said he would respond soon with his findings. Here’s his tweet:
My prediction was correct 😅
Thank you all for your messages, emails and sms. I’m doing my best to answer to everyone. Welcome to the new 20K people who follow since yesterday 😯
— Elliot Alderson (@fs0c131y) May 6, 2020
The Aarogya Setu app has come under severe scrutiny over privacy and surveillance concerns as well as the lack of audit and transparency, as it is not an open source code.
Here’s the full statement by the Aarogya Setu team on issues raised by the ethical hacker: