An Ethical Hacker alerted Aarogya Setu Team on potential security threats in the app.
Aarogya Setu app designed and developed to track Covid-19 infected patients has been alerted by an Ethical Hacker on potential security threats in the app.
Team Aarogya Setu issued a statement on data security of the App.
Though the statement by Aarogya Setu came just after Apple and Google said that, they would ban the use of location tracking apps that uses a new contact tracing system to detect Covid-19 positive patients.
— Aarogya Setu (@SetuAarogya) May 5, 2020
Team informed that, The App fetches user location on a few occasions.
- At the time of registration.
- At the time of self-assessment.
- When a user submits their contact tracing data voluntary through the App or when we fetch the contact tracing data of a user after they have turned COVID-19 positive.
They confirmed that all the user’s details collected by the app is stored in a secure, encrypted and anonymised manner.
User can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script.
The radius parameters are fixed and can only take one of the five values:
500 metres, 1km, 2km, 5km and l0km. These values are standard parameters, posted with HTTP headers. Any other value as part of the “distance” HTTP header gets defaulted to 1km.
The user can change the latitude / longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall, and hence bulk cabs are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.
Aarogya Setu team further said, “We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.”
They also thanked the Ethical Hacker on engaging with them. Any users who identify a vulnerability can inform the team immediately at [email protected]
The app already crossed 90 Million downloads across different platforms.