Friday, November 22, 2024
HomeGovernment and PolicyAmidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security...

Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security features of Aarogya Setu app

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government's Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that's free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

As the Indian government aggressively pushed for widespread adoption of its contact-tracing app, Aarogya Setu, many privacy-focused groups, including the Internet Freedom Foundation (IFF), raised questions over the privacy concerns of the app. Putting an end to the ongoing rumours, the Singaporean ethical hacker Frank Liauw validated the security features of the Aarogya Setu app.

After running a security review of Singapore Government’s contact tracing app- TraceTogether which became widely popular among the global community for clearing the doubts regarding the privacy issues with the app, Liauw, on the request of one Indian user decided to perform an identical investigation on the Indian government’s Aarogya Setu app.

At the outset, Liauw claimed that the Indian app’s approach in contact tracing the COVID-19 patients was radically different than the approach espoused by Singapore’s TraceTogether. Aarogya Setu’s approach, he said, “Anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country.”

Shedding some light on the inner workings of the Aarogya Setu app, Liauw categorised his security review broadly in 5 categories to better understand the functioning of the app.

Cloud

Aarogya Setu app uses Amazon Web Services (AWS) for its backend. This enables the app to quickly scale up in the cloud to support millions of Indian users. Data centres are located in Mumbai, the Singaporean ethical hacker concludes.

Data Records and SQLite Storage

Aarogya Setu uses SQLite for on-device record storage. According to Liauw, the most significant feature of Aarogya Setu app which distinguishes it from Singapore’s Trace Together is the method collection of the user’s latitude and longitude information about the neighbouring devices detected. The Aarogya Setu app stores literal Bluetooth mac addresses of the neighbouring devices and does not collect the information regarding the type of the neighbouring devices.

Data Retention Policy

The review states that there is no policy in Aarogya Setu app, either in code or write, to destroy records from the SQLite database from the app user’s mobile after a pre-planned time interval. However, Liauw attributes this lapse to the lack of time for the development team to build and test the app, hoping that the fix will be pushed in the subsequent updates. However, he also added that it’s not a major issue if the records are stored indefinitely, considering that countries might be in for the long-haul should the pandemic prolongs.

Runtime Security

Liauw claimed that his assessment revealed that there is reasonable evidence of runtime security implementations to stop fiddling around with the operating system on rooted device and SSL(certificate?) pining to protect against the MITM(man in the middle) attacks.

Application Layer Encryption

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government’s Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

Aarogya Setu app reassures privacy after allegations of security concerns

Several groups, including French ethical hacker Elliot Alderson, raised flags about the security concerns of the app, claiming that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.

However, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.

Join OpIndia's official WhatsApp channel

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staff
OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

- Advertisement -