The Indian government has acknowledged the potential security problems of the Aarogya Setu contact tracking application, which its opposition calls an unattended tracking system, but claims that the problems with the code are not so great.
Late at night, a Twitter feed from the team developing the application reported and verified that it had been alerted by an ethical hacker about a possible security issue.
The first function to be called is access to location data, which is declared as a function instead of an error. The second seems more serious and is described in such a way that the user obtains the COVID-19 statistics displayed on the main screen by changing the radius and latitude using the script.
The answer from the application team is that the API that makes this possible is the firewall, and that the data generated is limited and already publicly available.
Obtaining data for different latitudes in this way is no different than asking a few people for their COVID-19 location statistics, according to the communication.
India makes the contact tracing application mandatory in areas where the virus occurs, although most local phones are notsmartphones.
Unlike contact tracing applications in other countries, Aarogya Setu is not open source or is known to be based on other open source efforts. The Indian government strongly encouraged him and even imposed a duty on him – although a reader of Reg who had ordered the installation of the app could put aside the insistence of the authorities because his phone did not have access to the Indian app stores.
Then why refute two small problems with the application? Perhaps because the Indian opposition party, the National Congress, was very critical of Aarogia Seth. This is where MP Raul Gandhi, the leader of the largest opposition party, is deployed:
Arogya Setu is an advanced video surveillance system that has been outsourced to a private operator without any institutional supervision, resulting in serious security and privacy issues. Technology can help us ensure safety, but fear cannot be used to follow citizens without their consent.
– Rahul Gandhi (@RahulGandhi) 2. May 2020.
The Indian Software Freedom Law Centre has reviewed the application and identified a number of issues, including a liability clause that indemnifies the government against liability for unauthorised access to or alteration of [user] information.
This means that even if the user’s personal data are disclosed, according to the Centre’s lawyers, the State is not liable.
And here’s the full report from the Aaroga Seth team.
The statement of the team of #AarogyaSetu on the security of application data. pic.twitter.com/JS9ow82Hom
– 4. Aaroga Setu (@SetuAaroga) May 2020.
Also in India…
Also in India, and also tweeted, Wipro will hand over one of its empty campuses to the local health authorities to be used as a hospital. The buildings in Pune will be converted to 450 seats and will become Wipro offices again in a year’s time. ®
Webcast : Customize your hybrid cloud correctly