Indian Government Denies Security Vulnerabilities in Aarogya Setu App

May. 6, 2020

A day after noted cyber-security researcher, Baptiste Robert aka Elliot Alderson (@fs0c131y), claimed that a serious security vulnerability in the controversialAarogya Setu appmay have have jeopardized the privacy of 90 million people online, the Indian government has issued a detailed denial, claiming that the issues pointed out by the researcher are included in the app ‘by design’.

In its rebuttal, the government claimed that the app only fetches user locations in a few cases, including, at the time of registration, at the time of self-assessment, when the user submits their contact-tracing data voluntarily, or when the user is COVID-positive. The location-tracking, it said, is“for everyone’s benefit”, and the data is stored“in a secure, encrypted and anonymized manner”. Robert, however, is sticking to his guns, and has vowed to come back with more details about the vulnerabilities later today.

After the successivedata breaches at Aadhaarover the past couple of years, cyber-security analysts, civil liberties advocates and industry insiderswere already skeptical about Aarogya Setu, with the non-profit Internet Freedom Foundation (IFF) recently sending a joint representation to the Prime Minister’s Office urging the government against themandatory use of the Aarogya Setu appbecause of privacy concerns.

Now, with new revelations about the app, opposition to itsmandatory installation on smartphoneswill become an even bigger issue among many people around the country, but it will be interesting to see if the government will acknowledge that whether by design or by accident, the app does include several provisions that are highly disconcerting and should be addressed immediately.

Passionate techie. Professional tech writer. Proud geek.