Thursday, August 6, 2020
Home Government and Policy Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security...

Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security features of Aarogya Setu app

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government's Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that's free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

As the Indian government aggressively pushed for widespread adoption of its contact-tracing app, Aarogya Setu, many privacy-focused groups, including the Internet Freedom Foundation (IFF), raised questions over the privacy concerns of the app. Putting an end to the ongoing rumours, the Singaporean ethical hacker Frank Liauw validated the security features of the Aarogya Setu app.

After running a security review of Singapore Government’s contact tracing app- TraceTogether which became widely popular among the global community for clearing the doubts regarding the privacy issues with the app, Liauw, on the request of one Indian user decided to perform an identical investigation on the Indian government’s Aarogya Setu app.

At the outset, Liauw claimed that the Indian app’s approach in contact tracing the COVID-19 patients was radically different than the approach espoused by Singapore’s TraceTogether. Aarogya Setu’s approach, he said, “Anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country.”

Shedding some light on the inner workings of the Aarogya Setu app, Liauw categorised his security review broadly in 5 categories to better understand the functioning of the app.

Cloud

Aarogya Setu app uses Amazon Web Services (AWS) for its backend. This enables the app to quickly scale up in the cloud to support millions of Indian users. Data centres are located in Mumbai, the Singaporean ethical hacker concludes.

Data Records and SQLite Storage

Aarogya Setu uses SQLite for on-device record storage. According to Liauw, the most significant feature of Aarogya Setu app which distinguishes it from Singapore’s Trace Together is the method collection of the user’s latitude and longitude information about the neighbouring devices detected. The Aarogya Setu app stores literal Bluetooth mac addresses of the neighbouring devices and does not collect the information regarding the type of the neighbouring devices.

Data Retention Policy

The review states that there is no policy in Aarogya Setu app, either in code or write, to destroy records from the SQLite database from the app user’s mobile after a pre-planned time interval. However, Liauw attributes this lapse to the lack of time for the development team to build and test the app, hoping that the fix will be pushed in the subsequent updates. However, he also added that it’s not a major issue if the records are stored indefinitely, considering that countries might be in for the long-haul should the pandemic prolongs.

Runtime Security

Liauw claimed that his assessment revealed that there is reasonable evidence of runtime security implementations to stop fiddling around with the operating system on rooted device and SSL(certificate?) pining to protect against the MITM(man in the middle) attacks.

Application Layer Encryption

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government’s Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

Aarogya Setu app reassures privacy after allegations of security concerns

Several groups, including French ethical hacker Elliot Alderson, raised flags about the security concerns of the app, claiming that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.

However, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Trending now

Ram Mandir, a symbol of cultural continuity: Northeast India and Sanatan Dharma

After a decade long historical, political and legal dispute and with a Supreme Court intervention brought to closure in the matter of construction of Ram Mandir and, finally, Lord Rama shall get its abode to live

‘Efforts were made to eradicate Lord Ram’s existence, but it is his immense power that he continued to live in our hearts’: PM Modi’s...

PM Modi who returned to Ayodhya after 29 years, performed the Ram Mandir's Bhoomi Pujan at 12.44.08 PM on 5th August

PM Narendra Modi and the journey from Ayodhya Andolan to Ram Mandir Bhoomi Pujan: Then and now

Now and then: Journey of PM Modi from Ayodhyan Andolan to Ram Mandir

From ‘nothing new about Shilanyas’ to ‘I will not find Ram there’, Bhoomi Pujan ceremony of the Ram Mandir in Ayodhya triggers a meltdown...

The liberal intelligentsia is having a hard time digesting the fact that the dream of millions of Hindus of a Ram Mandir in Ayodhya is finally turning into a reality

‘I, Narendra Damodardas Modi, on behalf of my country and its people’: Read what the PM’s ‘Sankalpa’ at Ram Mandir Bhoomi Pujan meant

PM Modi today did the Shilanyas and Bhoomi Pujan for the proposed Ram Mandir at the Ram Janmabhoomi site in Ayodhya.

Islamists, ‘liberals’ attack cricketer Mohammad Kaif for urging haters to not spew venom over Ram Mandir in Ayodhya

Mohammad Kaif was attacked by Islamists for urging people who were spewing venom over the Bhoomi Pujan to spread the message of love and dignity instead.

Recently Popular

Here is why #BabyPenguin is trending on Twitter, and why Aaditya Thackeray is called so by some

Yuva Sena registered complaint against twitter user for calling Aaditya Thackeray "Baby Penguin" and Uddhav Thackeray "Aurangzeb"

‘Situations do not last forever’: All India Muslim Personal Law Board issues a menacing threat on the eve of Ram Mandir Bhoomi Pujan

Comparing Babri Masjid to Turkey's newly converted mosque 'Hagia Sophia', the Muslim Personal Board said, "Babri Masjid was and will always be a Masjid".

NASDAQ billboard at NYC’s Times Square not to beam Lord Ram’s image after petitions by Muslim groups

Muslims groups in New York have objetected to the plan of displaying the images of Lord Ram on the large LED screens of Times Square on Bhoomi Pujan day.

Veer Savarkar’s prophecy ‘The day Hindus unite, Congress leaders will wear janeu over the coat’ comes true as they celebrate construction of Ram Mandir

Priyanka Gandhi Vadra, Kamal Nath and Manish Tewari have posted tweets, welcoming the Bhoomi pujan ceremony and extending their support for the construction of Ram Temple in Ayodhya

Islamists, ‘liberals’ attack cricketer Mohammad Kaif for urging haters to not spew venom over Ram Mandir in Ayodhya

Mohammad Kaif was attacked by Islamists for urging people who were spewing venom over the Bhoomi Pujan to spread the message of love and dignity instead.

“Will believe in coronavirus if Amit Shah dies”: Shaheen Bagh ‘activist’ Aiman Rizwi urges Muslims to pray for his death

Rizwi also strongly believes that Coronavirus is a myth and propagated to conceal failures of Modi government.

Bengal police lathi charge Hindus for organising Ram pujas during the one-day lockdown on 5th August

Police lathi charged Hindus, pull devotees out of temples for organizing Ram Pujas on Ram Mandir Bhumi Pujan in West Bengal

The Wire shares article citing discredited ‘experts’ to falsely claim older mosques existed beneath the Babri structure, not a temple

The Wire cites 'experts' who had claimed no temple was found below Babri Masjid, but they were not present during ASI digging

Digital billboard featuring Lord Ram and Ram Mandir comes up at Times Square in New York

A large curved digital screen located at the iconic Times Square displayed the images of Lord Ram and the Ram Mandir

Ram Mandir, a symbol of cultural continuity: Northeast India and Sanatan Dharma

After a decade long historical, political and legal dispute and with a Supreme Court intervention brought to closure in the matter of construction of Ram Mandir and, finally, Lord Rama shall get its abode to live

Meet K Parasaran, the 93-year-old ‘Pitamah’ of Indian laws who had said that logical end to Ram Janmabhoomi case was his last dream

K Parasaran once said that the logical end to Ram Janmabhoomi case was his last wish before he died

NDTV refers to Ram Janmabhoomi site as ‘disputed’, quietly edits posts after social media outrage

NDTV had uploaded posts on Facebook in which it had referred to Ram Janmabhoomi site as "disputed"

Kashmiris rejects Pakistan’s anti-India propaganda as hundreds come together to celebrate the first anniversary of abrogation of Article 370

Bangus Awaam Mela was organised to commemorate the first anniversary of the Abrogation of Article 370 in the valley

Kerala nun-rape case: Supreme Court dismisses discharge plea filed by rape accused Bishop Franco Mulakkal

Bishop Franco Mulakkal to face trial in the nun-rape case after Supreme Court dismissed his petition to discharge the case against him

Kashi Vishwanath and Krishna Janmasthan temples have to be liberated too: Senior BJP leader KS Eshwarappa

KS Eshwarappa also asserted that there will be temples at both Kashi and Mathura in the near future just like Ayodhya.

Ram Mandir Bhoomi Pujan: Illustrations, sculptures and paintings of Bhagwan Ram winning the social media

Many creative, and beautiful artworks have been made by artists for the occasion of Ram Mandir Bhoomi Pujan.

Related Articles

Connect with us

239,057FansLike
422,491FollowersFollow
290,000SubscribersSubscribe