A day after French ethical hacker Elliot Alderson pointed out issues with Aarogya Setu which puts ‘privacy of 90 million Indians at stake’, app developers issue clarification
New Delhi: Aarogya Setu team has issued a statement on data security of the app stating, "no data or security breach has been identified," after French ethical hacker Elliot Alderson, on late Tuesday tweeted about a "security issue" in the app.
Alderson tweeted, "Hi @SetuAarogya, A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right."
He later tweeted, "49 minutes after this tweet, @IndianCERT and @NICMeity contacted me. Issue has been disclosed to them."
"To be super clear:
- I'm waiting a fix from their side before disclosing publicly the issue. Putting the medical data of 90 million Indians is not an option.
- I have a very limited patience, so after a reasonable deadline, I will disclose it, fixed or not."
Aarogya Setu's statement pointed out two issues as discussed with the hacker, "the app fetches user location on a few occasions" and "user can get the COVID-19 states displayed on Home Screen by changing the radius and latitude-longitude using a script."
It said, the app is designed to collect a user’s location at certain points in the process—while the user is setting up the app and registering, at the time when the user is making a self-assessment, and also every time when a user either voluntarily shares their contact tracing data from within the app or in case a self-assessment indicates COVID-positive.
Also, for the second issue, Aarogya Setu developers said, “The radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2km, 5km and 10km.” They say this does not compromise on any personal or sensitive data because the information is already public for all locations.
"No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified."
This issue comes at a time when there is a huge concern about the privacy of users. The app has been mandated for all government employees and several others availing of Centre/State's provisions of returning back home, etc.