As the Indian government aggressively pushed for widespread adoption of its contact-tracing app, Aarogya Setu, many privacy-focused groups, including the Internet Freedom Foundation (IFF), raised questions over the privacy concerns of the app. Putting an end to the ongoing rumours, the Singaporean ethical hacker Frank Liauw validated the security features of the Aarogya Setu app.
#AarogyaSetu security features gets validated by Singaporean ethical hacker @frankvolkel. The app is privacy-first by design.” 🇮🇳 Aarogya Setu Security: a code review by 🇸🇬 Frank Liauw https://t.co/7vgXkixD4E
— Amitabh Kant (@amitabhk87) May 9, 2020
After running a security review of Singapore Government’s contact tracing app- TraceTogether which became widely popular among the global community for clearing the doubts regarding the privacy issues with the app, Liauw, on the request of one Indian user decided to perform an identical investigation on the Indian government’s Aarogya Setu app.
At the outset, Liauw claimed that the Indian app’s approach in contact tracing the COVID-19 patients was radically different than the approach espoused by Singapore’s TraceTogether. Aarogya Setu’s approach, he said, “Anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country.”
Shedding some light on the inner workings of the Aarogya Setu app, Liauw categorised his security review broadly in 5 categories to better understand the functioning of the app.
Cloud
Aarogya Setu app uses Amazon Web Services (AWS) for its backend. This enables the app to quickly scale up in the cloud to support millions of Indian users. Data centres are located in Mumbai, the Singaporean ethical hacker concludes.
Data Records and SQLite Storage
Aarogya Setu uses SQLite for on-device record storage. According to Liauw, the most significant feature of Aarogya Setu app which distinguishes it from Singapore’s Trace Together is the method collection of the user’s latitude and longitude information about the neighbouring devices detected. The Aarogya Setu app stores literal Bluetooth mac addresses of the neighbouring devices and does not collect the information regarding the type of the neighbouring devices.
Data Retention Policy
The review states that there is no policy in Aarogya Setu app, either in code or write, to destroy records from the SQLite database from the app user’s mobile after a pre-planned time interval. However, Liauw attributes this lapse to the lack of time for the development team to build and test the app, hoping that the fix will be pushed in the subsequent updates. However, he also added that it’s not a major issue if the records are stored indefinitely, considering that countries might be in for the long-haul should the pandemic prolongs.
Runtime Security
Liauw claimed that his assessment revealed that there is reasonable evidence of runtime security implementations to stop fiddling around with the operating system on rooted device and SSL(certificate?) pining to protect against the MITM(man in the middle) attacks.
Application Layer Encryption
Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government’s Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.
Aarogya Setu app reassures privacy after allegations of security concerns
Several groups, including French ethical hacker Elliot Alderson, raised flags about the security concerns of the app, claiming that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.
However, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.