Government Makes Available Arogya Setu iOS Security Code On OpenForge

For the contact tracing app Aarogya Setu’s iOS version, the Indian government has released the source code, after two months of releasing the code for android. The open-source code is available on the government’s own open-source platform Open Forge.

The government is yet to release the server-side code of the app which has been constantly requested by developers and data privacy activists.

The server-side code will help them understand how the stored data is processed at the backend. Since its rollout, Aarogya Setu has been under heavy scrutiny from developers and security experts for a multitude of reasons.

According to TOI, a security audit firm, Cyber Firm has said that the user data on Aarogya Setu is “running on a significant risk of theft and abuse”. In a blog post (which has now been taken down), Yash Kadakia, founder of ShadowMap and Security Brigade CTO reportedly said, “The company managed to get access into Aarogya Setu and discovered the source code for the entire platform, including backend infrastructure.”

In response to the blog, the government reportedly sent an official statement saying that the Security Brigade has misused its engagement with the Aarogya Setu code review. “Publishing an article on the issues that the firm got to know as part of the code review violates basic principles of ethics. it is a complete breach of trust,” the statement added.

A magazine owned by the prestigious Massachusetts Institute of Technology, MIT Technology Review, has also downgraded Aarogya Setu app on the parameters of “data minimization” which means the app is collecting more data than needed for the app to work.

The report ranked 25 individual, significant automated contact tracing efforts globally on five factors – voluntary or mandatory usage, usage for public health purposes only or law enforcement, provision for deleting the data within a reasonable amount of time, data collection, and transparency. The current ranking of Aarogya Setu on these factors is 1 out of 5, according to MIT Technology Review.

In May, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, found a flaw in the Aarogya Setu.

According to Baptiste, anyone with the right technical know-how can find out the COVID-19 status of a given area by exploiting a flaw that allows users to set a location within the Aarogya Setu application.

Using the flaw, Alderson was able to find that five people each in the Prime Minister’s Office and defense ministry who had reported that were feeling unwell on May,6. In response, the Government has denied any security issues in the app, which was developed in a public-private joint venture.