The team behind the Aarogya Setu app has so far denied to acknowledge any security issues
Aarogya Setu app has been downloaded by over nine crore users
Researcher claimed he was contacted by CERT-In and NIC teams
Aarogya Setu team posted a note denying the alleged security issue
French security researcher Robert Baptiste, who goes by pseudonym Elliot Alderson on Twitter, said the Aarogya Setu app has a “security issue” that has put the privacy of crores of Indians at stake. The researcher tweeted on Tuesday to notify the government and his over 1.67 lakh followers about the alleged security issue in the government's contact tracing app. The Indian Computer Emergency Response Team (CERT-In) and National Informatics Centre (NIC) quickly reached out to him to understand the problem. However, the team behind the Aarogya Setu app refuted the claim made by the researcher.
Without specifying the loophole, the researcher tweeted on Tuesday to highlight the concerns with the Aarogya Setu app. “The privacy of 90 million Indians is at stake. Can you contact me in private?” he wrote on Twitter, alongside tagging the official account of the contact tracing app.
The researcher also included a postscript in his tweet that said Congress MP Rahul Gandhi was right. Gandhi has last week claimed that the Aarogya Setu app is a “sophisticated surveillance system” that raises “serious data security and privacy concerns.” He also said that the app is outsourced to a private operator, with no institutional oversight.
Within 49 minutes after his initial tweet, the researcher said that he was contacted by the CERT-In and NIC teams. “[The] issue has been disclosed to them,” he said.
The app is the most downloaded in India, having broken records in how quickly its download numbers have gone up. But it has drawn a lot of criticism from groups like the Software Freedom Law Center, India (SFLC.in) and the Internet Freedom Foundation (IFF), and while the app was voluntary to use to begin with, this has quickly been changing. It is required in many offices, for workers in the gig economy, and also in government offices. Most recently, the police in Noida have been enforcing the use of the app as well.
‘No risk has been proven' The team behind the Aarogya Setu app acknowledged the communication with the researcher through a note tweeted on early Wednesday. However, it didn't provide any details about the alleged security issue and even refuted the alleged security issue.
“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the team wrote in the note.
Baptiste responded to the letter posted by the Aarogya Setu team saying, “I will come back to you tomorrow.” He also asked the team about triangulation — suggesting a flaw within the system that collects user data through the app.
Good record of exposing loopholes Although there isn't any evidence supporting what the researcher has said on Twitter, other experts have raised security concerns in the Aarogya Setu app as well. The researcher also has a good record of finding serious security loopholes. He gained popularity in India by revealing security issues in the Aadhaar system in the past. Last year, the researcher also claimed that a security lapse exposed millions of Aadhaar numbers of dealers and distributors associated with LPG brand Indane. His claim was, however, denied by the brand.
In January 2018, the researcher also discovered a flaw in OnePlus' OxygenOS clipboard that was allegedly allowing data transmission to China. The smartphone brand, however, refuted the claims made by the researcher.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at email@example.com. Please send in your leads and tips.