No data, security breach of Aarogya Setu has happened; it has no vulnerability, says app developers
The developers of the Aarogya Setu, the contact-tracing app developed by the Ministry of Electronics and Information Technology, on Tuesday (May 5) stressed that “no data or security breach had been identified” in the app.
The developers of the Aarogya Setu App, which is used to trace coronavirus COVID-19 patients, said that the app had no security vulnerability. The developers responded shortly after a French security researcher Robert Baptiste, better known as Elliott Alderson, pointed out that it is capable of leaking data of the around 9 crore users who have downloaded the app.
“No personal information of any user has been proven to be at risk by this ethical hacker,” Aarogya Setu said in a statement on its twitter handle. “We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified”.
Aaroga Setu app developers said that they were alerted “by an ethical hacker of a potential security issue in the app”, which they discussed with him, but “no personal information of any user has been proven to be at risk” by the hacker.
According to developers, the hacker had pointed out two issues – “the app fetches user location on a few occasions”, and a “user can get the Covid-19 stats displayed on the home screen by changing the radius and latitude-longitude using a script.”
The AaSetu team, the fetching of a user’s location is “by design”, and it is “stored on the server in a secure, encrypted and anonymized manner.”
Regarding the second issue, the team said the radius parameters on the app “are fixed and can only take one of the five values: 500m, 1km, 2km, 5 km, and 10 km.” It added that the "information does not compromise on any personal or sensitive data”.
It is to be noted that the Centre has made it mandatory for all public sector and private employees who go to offices to download the app.