While the debate over why India’s mandating its citizens to install the Aarogya Setu app is continuing, an interesting story just evolved regarding the privacy concerns of using it. A hacker in Twitter on the name of Elliot Alderson has just detailed how the Aarogya Setu app is leaking the app data, which consists of a number of details regarding the count of people being infected, unwell, tested and using the app around you. By inserting some functions, he claims anyone can know who is infected anywhere in India, in the area of his choice!
The COVID-19 contact tracing app of India, Aarogya Setu is infamous for being pushy by the ruling government, and accusations from opposing parties for being a surveillance tool. While the politicians are engaged in a dog fight over this, a hacker named Elliot Alderson, who previously uncovered the weak security of India’s Aadhaar system, has now come up again with the same claims in Aarogya Setu app!
Flaws Letting Internal Access
As per his medium blog post, he detailed how anyone can know the precise location of an infected person anywhere in India, from anywhere. He first uncovered a bug issue on April 3rd, just two days after the app was launched. This is regarding a WebViewActivity that’s more concerned with web pages. But, a deeper analysis reveals it can trigger the dialer and pre-dial a number.
It can be considered as a security issue 😁 pic.twitter.com/A1Rj44m2me
— Elliot Alderson (@fs0c131y) April 3, 2020
Further, there’s no proper host validation done by the app, letting anyone access the internal files regarding COVID-19 collected by the app. He demonstrated this via a video proof, and Indian authorities have removed it in their next update.
Flaws Retrieving More Data Than Required
But the next update has given Elliot more fun. Version 1.1.1 of Aarogya Setu, which Elliot tested on a rooted phone on May 4th, has given him the ability to know who’s sick anywhere in India! This happened when he bypassed the certificate pinning function, in order to monitor the traffic requests made by the app. And these findings revealed much more than what’s necessary.
A feature in the Aarogya Setu app lets users know how many have done the self-assessment test within his area. And this region limit can be set to five ranges like 500m, 1km, 2km, 5km or 10km. Upon choosing a distance range, the precise location of the user (latitudes and longitude coordinates) and the radius (range) set by him will be sent to government servers to return the data count of self-assessment tests requested.
But, it’s retrieving a lot more than requested. The data Elliot (or anyone) can able to obtain is
- Number of unwell people,
- Number of infected people
- Number of people declared as Bluetooth positive,
- Number of self-assessment made around you and;
- The number of people using the app around you.
The last thing Elliot trailed is to set the range manually of his choice, which is not available in the app. And it worked. He set a range of 100km and got the information as said. Further, one can also set his/her location as they desire! Elliot trailed by setting his location to New Delhi and got the results as claimed. At last, he says this is a serious privacy breach and should be taken care of.
Though the IT minister has previously assured the app’s safe, minor tweaks into the project’s code can give you precise details regarding COVID-19 of anyone in India now. Elliot is now even asking the Indian government to make the Aarogya Setu app’s source code public, as made by other nations.
Source: Elliot Alderson