In a series of tweets, a French Android applications developer and cyber security expert, using the moniker Elliot Alderson, raised concerns about Modi government's Aarogya Setu app.
Alderson concluded his 'findings' on the coronavirus tracker app in an article which he titled 'Aarogya Setu: The Story of a failure'.
"I wrote an article to describe the issues I reported to the @SetuAarogya. I hope it will allow people to understand the situation and why it's an important issue. I hope you like it, all feedbacks are welcome," Alderson tweeted with a link to his article.
Explaining the reasons for writing the article, he said: "I took the time to write this article for two reasons: - I want to be transparent. You have all the info, even the technical info - Sharing is caring. Maybe it will give ideas to other bug bounty hunters and security lovers in general."
Alderson begins his article by describing the situation of people in Noida. If people do not have this app installed on their phones, they can be imprisoned up to six months or fined up to Rs 1000.
He went on to explain that with no host validation, any potential attacker can access internal files of the app causing a potential breach in the privacy of a user.
According to Alderson, the app developers 'silently' fixed the aforementioned issue.
But the ethical hacker continued his analysis on a rooted device -- a device which is jailbroken -- but could not use the application due to security reasons.
He bypassed the root detection features by simply writing some codes and once he could access the app, he discovered the ability of the users to know how many people have self-assessed themselves in their area.
The radius of the area can be selected between 500m, 1km, 2kms, 5kms or 10kms.
With that said, Alderson concluded his 'findings' by revealing how any potential hacker can access a lot of information about:
#Number of infected people
#Number of unwell people
#Number of people declared as bluetooth positive
#Number of self assessment made around the hacker's area
#Number of people using the app around the hacker's area
"Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me," he wrote.
He went on to reveal the number of infected people in some areas. Check it out below:
In the conclusion of his article, Alderson said: "As you saw in the article, it was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that."
"They even admit that the default value is now 1km, so they did a change in production after my report. The funny thing is they also admit an user can get the data for multiple locations.
"Thanks to triangulation, an attacker can get with a meter precision the health status of someone.
"Bulk calls are possible my man. I spent my day calling this endpoint and you know it too.
"Iām happy they quickly answered to my report and fixed some of the issues but seriously: stop lying, stop denying."
The Aarogya Setu app is available in 11 languages on both Android as well as iOS devices. It has been downloaded by 90 million people so far.
