Aarogya Setu denies privacy breach, contradicts ethical hacker’s claims

Aarogya Setu denies privacy breach, contradicts ethical hacker’s claims
The Aarogya Setu app.
  • Aarogya Setu has claimed that the Coronavirus tracking app is secure, and no privacy breaches have been found.
  • Elliot Alderson, an ethical hacker had claimed that he had found a security issue in the app.
French ethical hacker who goes by the fictitious name Elliot Alderson claimed that there was a security issue in Aarogya Setu, the coronavirus tracking app launched by the Indian government.

In his tweet, Elliot Alderson had claimed that a security issue has been found in the Aarogya Setu app and that the privacy of over 90 million Indians was at risk.

Soon after this, Alderson was contacted by the National Informatics Centre (NIC) and the Indian Computer Emergency Response Team (CERT-In). After disclosing the issue to them, Alderson said that he would wait for the issue to be fixed before disclosing the gaps he discovered.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
However, the government has dismissed the claims. “No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.” Aarogya Setu said in a statement.

Alderson has said that he is not satisfied with Aarogya Setu’s response. Meanwhile, IT and telecom minister Ravi Shankar Prasad has said that user data stored in Aarogya Setu for tracking the spread of COVID-19 will be deleted once the pandemic abates.


Aarogya Setu claims there has been no privacy breach

The first claim by Alderson was that the Aarogya Setu app is fetching the user’s location. To this, the Aarogya Setu team has responded that this is by design and has been mentioned in the app’s privacy policy.

It further added that the user’s location information is stored on the server in a ‘secure, encrypted and anonymized manner’.

Alderson also claimed that users can get the Covid-19 stats displayed on the home screen by using a script to change the radius and latitude-longitude. The team has claimed that the radius parameters are fixed and can take only one of the five specified values.

While it is possible to change the latitude and longitude to get data for multiple locations, the Aarogya Setu team claims that it is not possible to make bulk calls to the API are not possible as it is behind a Web Application firewall.

See also:

How to download and use Aarogya Setu Coronavirus tracking app

Coronavirus: East Delhi district admin asks RWAs to encourage people to download 'Aarogya Setu' app

COVID-19: Smartphone without 'Aarogya Setu' app will draw punishment for user in Gautam Buddh Nagar