Wednesday, November 25, 2020
Home Government and Policy Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security...

Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security features of Aarogya Setu app

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government's Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that's free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

As the Indian government aggressively pushed for widespread adoption of its contact-tracing app, Aarogya Setu, many privacy-focused groups, including the Internet Freedom Foundation (IFF), raised questions over the privacy concerns of the app. Putting an end to the ongoing rumours, the Singaporean ethical hacker Frank Liauw validated the security features of the Aarogya Setu app.

After running a security review of Singapore Government’s contact tracing app- TraceTogether which became widely popular among the global community for clearing the doubts regarding the privacy issues with the app, Liauw, on the request of one Indian user decided to perform an identical investigation on the Indian government’s Aarogya Setu app.

At the outset, Liauw claimed that the Indian app’s approach in contact tracing the COVID-19 patients was radically different than the approach espoused by Singapore’s TraceTogether. Aarogya Setu’s approach, he said, “Anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country.”

Shedding some light on the inner workings of the Aarogya Setu app, Liauw categorised his security review broadly in 5 categories to better understand the functioning of the app.

Cloud

Aarogya Setu app uses Amazon Web Services (AWS) for its backend. This enables the app to quickly scale up in the cloud to support millions of Indian users. Data centres are located in Mumbai, the Singaporean ethical hacker concludes.

Data Records and SQLite Storage

Aarogya Setu uses SQLite for on-device record storage. According to Liauw, the most significant feature of Aarogya Setu app which distinguishes it from Singapore’s Trace Together is the method collection of the user’s latitude and longitude information about the neighbouring devices detected. The Aarogya Setu app stores literal Bluetooth mac addresses of the neighbouring devices and does not collect the information regarding the type of the neighbouring devices.

Data Retention Policy

The review states that there is no policy in Aarogya Setu app, either in code or write, to destroy records from the SQLite database from the app user’s mobile after a pre-planned time interval. However, Liauw attributes this lapse to the lack of time for the development team to build and test the app, hoping that the fix will be pushed in the subsequent updates. However, he also added that it’s not a major issue if the records are stored indefinitely, considering that countries might be in for the long-haul should the pandemic prolongs.

Runtime Security

Liauw claimed that his assessment revealed that there is reasonable evidence of runtime security implementations to stop fiddling around with the operating system on rooted device and SSL(certificate?) pining to protect against the MITM(man in the middle) attacks.

Application Layer Encryption

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government’s Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

Aarogya Setu app reassures privacy after allegations of security concerns

Several groups, including French ethical hacker Elliot Alderson, raised flags about the security concerns of the app, claiming that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.

However, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

Allahabad HC upheld ‘conversion only for marriage invalid’ when a Muslim converted to Hinduism, does u-turn when a Hindu converted to Islam

The Allahabad HC had also ruled that SC had observed in several cases the right to choose a partner is an integral part of Fundamental rights

Far away from India, a Vedic ecosystem rises in Texas Gaushala

In January 2020, I shared the story of Abhinav Goswami, who decided to bring to America the gifts of ancient India

Pakistan Court, which granted custody of 13-year-old Christian girl to 44-year-old Azhar, exonerates abductor, says ‘no rape’: Shocking details

Earlier the Pakistan court had granted the custody of a 13-year-old girl Christian girl to her 44-year-old abductor Ali Azhar

Muzaffarnagar: Yogi govt demolishes illegal construction on 100 Bighas of forest dept land by Islamic preacher Pir Khushal Miyan

A letter written by Union Minister of State Dr Sanjeev Balyan to the DM ordered the authorities to get the land belonging to the forest department vacated at the earliest.

J-K admin makes public list of beneficiaries under ‘illegal’ Roshni Act, names of former PDP minister, Congress leader, Farooq Abdullah etc emerge: Details

The Jammu and Kashmir High Court had deemed the Roshni Act as illegal, directing the gvt to publish list of land beneficiaries on the official website

Grooming Jihad in Jharkhand: Rahim becomes Arjun, tells the Hindu woman to first convert to Islam if she wants them to get married

The latest case of Grooming Jihad (Love Jihad) has emerged from village Behera in the Hazaribagh district of Jharkhand.

Recently Popular

Anvay Naik suicide case for which Arnab Goswami was arrested: Letters exchanged, the closure report, and unanswered questions

On 4th of Nov, the country watched as Arnab Goswami was dragged out of his house by over 20 armed policemen for a closed 2018 suicide case

Fraud fact-checker accuses TrueIndology of lying, when caught, wants an HD-quality photo from 1904

Pratik Sinha's lies were exposed in an OpIndia report. After his shoddy 'fact-checking' was called out, he has now resorted to name calling and shifting goalposts.

Uttar Pradesh: Golu and Guddu kill driver Mushtaq with an axe for harassing their sister, surrender to police

The brothers, Golu and Guddu, reportedly reached the police station with a blood-stained axe and confessed to killing Mushtaq.

Fraud fact-checking: AltNews co-founder Pratik Sinha spreads fake news while attempting to ‘fact-check’ old picture of a Hindu Sadhu

AltNews's Pratik Sinha posted fake information about an old image of a Hindu Sadhu in Kashmir in his hurry to call TrueIndology as a fraud.

Muzaffarnagar: Yogi govt demolishes illegal construction on 100 Bighas of forest dept land by Islamic preacher Pir Khushal Miyan

A letter written by Union Minister of State Dr Sanjeev Balyan to the DM ordered the authorities to get the land belonging to the forest department vacated at the earliest.

Delhi: Burkha-clad woman Nusrat fires gunshots to threaten a shop owner, arrested later

The police informed that a quarrel had ensued between with Fahim and Nusrat for not returning the mortgaged mobile phone of another man named Shahrukh.
- Advertisement -

Delhi Riots case: Court says enough material on record to proceed against Umar Khalid, Sharjeel Imam and Faizan Khan for offences under UAPA

All the three accused Umar Khalid, Sharjeel Imam and Faizan Khan were arrested for their alleged role in the anti-Hindu Delhi riots case.

Airport in Ayodhya to be named Maryada Purushottam Sri Ram Airport, Yogi gives assent

Yogi Adityanath has cleared a proposal to rename the Ayodhya Airport to Maryada Purushottam Sri Ram Airport, Ayodhya.

Karnataka High Court dismisses murder convict’s defence, says refusal to marriage cannot be accepted as ‘sudden provocation’ for committing murder

The Karnataka High Court noted that agreeing to the defence that 'grave and sudden' provocation led the accuse to murder the victim will rob the woman of her choice and dignity

Haryana Health Minister Anil Vij becomes first to get trial dose of India-made COVID vaccine

Haryana Health Minister Anil Vij was administered a trial dose of India made Covaxin at a hospital in Ambala on November 20

Habitual offender Rehana Fathima given last warning by Kerala High Court after violating bail condition in ‘Gomatha’ cookery video

In the cookery video titled Gomatha Ularthu, Fathima kept referring to the meat as Gomatha. The High Court let her go giving her last opportunity to 'improve'.

Uttar Pradesh: Shahid once again elopes with minor girl belonging to other community after securing bail; family demands strict action

Shahid had lured the same girl away in March as well after which he was jailed but sections of POCSO were not invoked.

Anti-Conversion law: Yogi government approves ordinance against unlawful religious conversions, violations to attract up to 10 years in jail

The anti-conversion ordinance passed by Uttar Pradesh govt also has provisions for 10 years’ jail for mass conversion

Allahabad HC upheld ‘conversion only for marriage invalid’ when a Muslim converted to Hinduism, does u-turn when a Hindu converted to Islam

The Allahabad HC had also ruled that SC had observed in several cases the right to choose a partner is an integral part of Fundamental rights

HuffPost India shuts shop days after public notice asking for lowering down FDI in digital media

HuffPost India is shutting down its operations from the 24th of November, an announcement on its website read.

A couple tries to self-immolate outside Odisha assembly, alleges police inaction in their child’s murder case as suspect belongs to ruling BJD

The couple alleged that neither the police nor the administration helped them as the suspect was close to the the ruling Biju Janata Dal (BJD) minister Arun Sahu. A case was registered by the police but no arrest was made.

Connect with us

245,563FansLike
488,574FollowersFollow
20,100SubscribersSubscribe