Aarogya Setu app is secure and private, government says after hacker raises concerns

Aarogya Setu team says there has been no data or security breach

Highlights
  • French security researcher claims to have found a security issue in the Aarogya Setu app 
  • The government assures the COVID-19 contact tracing app is secure and private 

French security researcher Robert Baptiste, who goes by Elliott Alderson on Twitter, claims to have found a security flaw in the Indian government-developed Aarogya Setu app that can potentially put the privacy of 90 million registered users at stake. The hacker is yet to reveal specific details about the flaws that he discovered, but the government has already responded to his tweet, stating that the Aarogya Setu app is secure and that no personal data is at risk. Aarogya Setu is a COVID-19 contact tracing application that has been downloaded by millions of people in India.

No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified,” the government said in a statement.

Aarogya Setu

The Aarogya Setu team states the app only fetches user location on a few occasions by design and this has been detailed in the app’s privacy policy. It accesses user location information at the time of registration, during self-assessment, and when a user submits their contact tracing data voluntary through the app or when the team fetches the contact tracing data of a user after they have tested COVID-19 positive. Users can get the COVID-19 stats displayed on the home screen by changing the radius, including 500 metres, 1km, 2km, 5km and 10km. These values are standard parameters, posted with HTTP headers, the statement reads.

The ethical hacker, however, is not convinced by the government’s statement regarding the privacy and security of the Aarogya Setu app. He plans to reveal more information about the app’s vulnerabilities very soon. The COVID-19 contact tracing app has been a major topic lately with concerns about the way the app collects and stores data and as a tool for mass surveillance by the government. Meanwhile, the Centre is has mandated that public sector and private employees should have the Aarogya Setu app installed on their phones self-assess themselves before reaching office. It is also reported the app must be pre-installed on all the upcoming smartphones.

Also read: Future Xiaomi phones will come with Aarogya Setu app pre-installed if government orders: report