comscore Aarogya Setu app has major red flags when it comes to security concerns

Aarogya Setu app has major red flags when it comes to security concerns

The Aarogya Setu app has been created with good intents and purposes but the blatant security risks questions a lot of that.

Aarogya Setu

India like most other countries in the world is tackling the coronavirus crisis by imposing and recently extending lockdown. And in its efforts to convey information, the Modi government has come up with a new smartphone app called Aarogya Setu. This translates to bridging healthcare in Hindi. It’s present purpose is to provide information on the coronavirus crisis in India and tell its user if they have come in contact with someone carrying the virus. The app was launched back on April 2 and recently claimed that it has been downloaded over 50 million times within 13 days of launch. This means that the app broke the record held by Pokemon GO. Also Read - Aarogya Setu app reaches 50 million users in just 13 days; beats record set by Pokemon Go

But behind the positive intents and purposes of the app, it seems like it is riddled with security concerns. Delhi based privacy focused group the IFF or Internet Freedom Federation have raised red flags about the security concerns with the Aarogya Setu app. The app apparently fails to comply with the global privacy standards in its report. According to Sidharth Deb, policy and parliamentary counsel at Internet Freedom Foundation, the app is a potential surveillance tool in the hands of the government. Also Read - Government launches Coronavirus tracker app called ‘Aarogya Setu’: Here is how it works

“As such, the Aarogya Setu application appears to clearly be inconsistent with privacy-first efforts which are being considered by technologists and governments,” he writes. The IFF has compared the Aarogya Setu app to two other such Covid-19 tracking apps in term of safety parameters. These are the TraceTogether app from the Singapore government, and Massachusetts Institute of Technology’s Private Kit: Safe Paths project.

Too much information needed

The Aarogya Setu app asks its users to provide access to both Bluetooth and location services. The app goes on to warn users that if these permissions are denied, it could lead to a false assessment of a Covid-19 situation. A warning like this to an already perturbed person without the knowledge of the security issue would temp them to provide that permission. It also warns users to keep the devices on their person at all times. It also warns that an exchange of devices could mean a false report.

The whole purpose of the Bluetooth is to track if the smartphone of a Covid-19 positive person comes in range. Even in that case, it is not clear what kind of information will be shared between the two smartphones. According to IIT-Madras Professor V Kamakoti, it is estimated that “at least 50 percent of the population needs to register to make the app effective”. The problem with this is that there are hardly that number of smartphones held by the Indian population. Even if the app were to become effective, the elephant in the room still remains, which are the security concerns.

The IFF paper by Deb asks the question, “How will switching devices lead to a conclusion that someone is falsely identified as Covid-19 positive? Does this mean that people are categorized as Covid-19 positive based on the data collected by the application itself, instead of a formal test result to confirm a positive diagnosis? If this is indeed the case, there is a need to strongly commence dialogue to roll back the application and fine tune the entire process.”

Privacy agreement and source code

The privacy agreement of the Aarogya Setu app uses vague language. This brings up another issue which is that with such a flimsy privacy policy, the government could use the data from this app for other purposes. For example the app by the government of Singapore mentions that the data collected by it will only be used by the department of health. But the privacy policy of Aarogya Setu app has no mention of the ministry of health and family welfare anywhere according to IFF’s paper.

In terms of transparency of the app, the other two cases cited by the IFF paper have their source codes publicly available on GitHub. This enables ethical hackers to identify security concerns in the app and convey them to the developers. But the developers of the Aarogya Setu app have done none of this, which poses even bigger questions.

Data storage

Once a user launches the Aarogya Setu app they are prompted to provide their mobile phone number, verified with a one-time password. Following this the user is asked to enter their name, age, gender, profession, travel history, and known contact with a coronavirus patient. After providing all this information they are provided with a basic dashboard that provides base information and hygiene and social distancing protocols. There’s is also the feature to donate to the PM Cares fund which has been newly formed by the Modi government.

The data on the Aarogya Setu app is stored on the device as well as the central servers of the app. The terms and services of the app mentions that the data will be deleted after 30 days of recording it. But this only refers to the contact details of the user and not the anonymised or the aggregated data sets that the user may have been part of. This data could survive the present use for this app on its central servers.

“This clearly does not suggest intent on the part of the government to destroy these systems. As a result there is a risk the personal information of users may be held for the duration of this public health crisis and beyond,” Deb wrote.

The government agencies have been pushing this app since its launch. According to reports the HRD and Rail Ministries have apparently sent out advisories urging students, teachers and employees, and their family members, to download the app.

Various social media influencers have been reached out to as well in order to promote the app. One such social media influencer on Instagram shared a screenshot of a mail they received from a third party platform called VU Roll with BGR India. The mail clearly specifies that they will not be paid for promoting the app.

Image credit: Instagram @pavemented

The mail among other things reads, “There are no fees or charges in the promotion of Aarogya Setu app as it is a complete social awareness activity requested by the government.” Prime Minister Narendra Modi himself promoted the app despite the many security concerns while prolonging the lockdown till May 3. The internet Freedom Foundation has put out an explainer on the app as well educating people about the risks and how the app could be improved. The Aarogya Setu app has been developed by the Niti Aayog and is available in 11 major languages. And it’s not just the IFF, but there was an early analysis of the app by the Defensive Lab Agency which also raised red flags.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.
  • Published Date: April 16, 2020 7:17 PM IST
  • Updated Date: April 16, 2020 11:11 PM IST

new arrivals in india

Best Sellers