Thursday, June 24, 2021
Home Government and Policy Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security...

Amidst cries of privacy concerns, Singaporean ethical hacker Frank Liauw gives thumbs-up to security features of Aarogya Setu app

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government's Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that's free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

As the Indian government aggressively pushed for widespread adoption of its contact-tracing app, Aarogya Setu, many privacy-focused groups, including the Internet Freedom Foundation (IFF), raised questions over the privacy concerns of the app. Putting an end to the ongoing rumours, the Singaporean ethical hacker Frank Liauw validated the security features of the Aarogya Setu app.

After running a security review of Singapore Government’s contact tracing app- TraceTogether which became widely popular among the global community for clearing the doubts regarding the privacy issues with the app, Liauw, on the request of one Indian user decided to perform an identical investigation on the Indian government’s Aarogya Setu app.

At the outset, Liauw claimed that the Indian app’s approach in contact tracing the COVID-19 patients was radically different than the approach espoused by Singapore’s TraceTogether. Aarogya Setu’s approach, he said, “Anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country.”

Shedding some light on the inner workings of the Aarogya Setu app, Liauw categorised his security review broadly in 5 categories to better understand the functioning of the app.

Cloud

Aarogya Setu app uses Amazon Web Services (AWS) for its backend. This enables the app to quickly scale up in the cloud to support millions of Indian users. Data centres are located in Mumbai, the Singaporean ethical hacker concludes.

Data Records and SQLite Storage

Aarogya Setu uses SQLite for on-device record storage. According to Liauw, the most significant feature of Aarogya Setu app which distinguishes it from Singapore’s Trace Together is the method collection of the user’s latitude and longitude information about the neighbouring devices detected. The Aarogya Setu app stores literal Bluetooth mac addresses of the neighbouring devices and does not collect the information regarding the type of the neighbouring devices.

Data Retention Policy

The review states that there is no policy in Aarogya Setu app, either in code or write, to destroy records from the SQLite database from the app user’s mobile after a pre-planned time interval. However, Liauw attributes this lapse to the lack of time for the development team to build and test the app, hoping that the fix will be pushed in the subsequent updates. However, he also added that it’s not a major issue if the records are stored indefinitely, considering that countries might be in for the long-haul should the pandemic prolongs.

Runtime Security

Liauw claimed that his assessment revealed that there is reasonable evidence of runtime security implementations to stop fiddling around with the operating system on rooted device and SSL(certificate?) pining to protect against the MITM(man in the middle) attacks.

Application Layer Encryption

Liauw was surprised to find the existence of an additional layer of encryption in the Indian Government’s Aarogya Setu app. He asserted that on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), the Aarogya Setu app encrypted the latitude and longitude information in the application using AES-GCM or RSA (depending on Android version) before transmitting it over the network.

Aarogya Setu app reassures privacy after allegations of security concerns

Several groups, including French ethical hacker Elliot Alderson, raised flags about the security concerns of the app, claiming that the privacy of 90 million Indians is at stake, owing to a “security issue” in the Aarogya Setu app. He informed that he was contacted by the National Informatics Centre (NIC) and the IT Ministry regarding the issue. In his Twitter thread, Anderson further cautioned that he would wait for a limited time before disclosing the matter to the general public.

However, a day after allegations of security issues surfaced, the official Twitter handle of Aarogya Setu replied to charges of privacy concerns on Twitter. It clarified that the app fetches the location of a user, as mentioned in its privacy policy, only during registration, self-assessment, and voluntary contact tracing. The app further reiterated that the data of a user’s location is stored in a secure, encrypted manner.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

Karnataka: Muslim family kills their own daughter and her Hindu lover in front of the boy’s mother

The 19-year-old Basavaraj Madivalapaa Badiger, an autorickshaw driver at Saladahalli village, and his 18-year-old lover Davalbi Bandagisab Tambad, a resident of the neighbouring Khanapur, were allegedly murdered by the father and other family members of the girl.

UP mass conversion: How Darsh Saxena, Rajeshwari and Priyanka became Mohd Rehaan Ansari, Razia and Fatima, more details emerge

More stories of religious conversion to Islam emerge as Uttar Pradesh ATS investigation intensifies.

Tripura emerges as India’s first 100% vaccinated state in 45 plus age group

With more than 14 Lakh doses administered, Tripura is now India's first state with 100%+ Vaccination in 45 plus age group.

As Congress continues propaganda against vaccines, India achieves over 5 million vaccinations per day three days in a row

While Congress attacked Modi govt over 'decline' in vaccinations on Tuesday, India vaccinated average 70 lakh people daily in 3 days

From cover up to conspiracy to murder: Some unanswered questions about Dr Syama Prasad Mookerjee’s death in Kashmir

Dr Syama Prasad Mookerjee had died mysteriously days after he was arrested in Jammu and Kashmir for entering the state without permission

Former IFS officer Lakshmi M Puri sends legal notice to Congress supporter Saket Gokhale for misleading allegations against her

Alleged activist and Congress mouthpiece Saket Gokhale made baseless allegations against Lakshmi M Puri, wife of Hardeep Singh Puri

Recently Popular

‘Is your father a mali or chowkidar? I will cancel your license, H*r*m*zade’: Maneka Gandhi threatens vets in viral audios

The Indian Veterinary Association in a letter have condemned the unruly behavior and unparliamentary language used by Maneka Gandhi against animal doctors.

Former IFS officer Lakshmi M Puri sends legal notice to Congress supporter Saket Gokhale for misleading allegations against her

Alleged activist and Congress mouthpiece Saket Gokhale made baseless allegations against Lakshmi M Puri, wife of Hardeep Singh Puri

After being slammed by Bombay HC for lack of evidence, Mumbai police names Arnab Goswami as an accused in second TRP chargesheet

Republic TV had submitted before Bombay HC that Mumbai Police have deliberately not named Arnab Goswami in charge sheet to keep the investigation open

Video of a person making anti-India comments circulated on social media falsely claiming that it is the founder of Himalaya Drug Company

Muhammad Manal, the founder of HImalaya Drug Company died in 1986, and the person in the viral video is one Naqi Ahmed Nadwi

Uttar Pradesh: One Dilshad caught breaking idols in Hindu temple in Kannauj, accomplice Umar says they were instructed to do so

Kannauj Police superintend Dr Arvind Kumar informed that a case will be filed under NSA against the main accused and others.
- Advertisement -

 

Connect with us

255,564FansLike
555,542FollowersFollow
24,400SubscribersSubscribe