Arogya Setu app on privacy issue: Read full statement here
India's Covid-19 contact tracing app Aarogya Setu released a statement today responding to the claims of French hacker Robert Baptiste of a privacy issue in the app. While the hacker did not disclose the details of the app's vulnerability, the Aarogya Setu developers issued a statement saying that user data is safe and secure.
Here's the full statement from the Aarogya Setu makers.
Earlier today. we were alerted by an ethical hacker of a potential security issue of
Aarogya Setu. We discussed with the hacker and were made aware of the
1.The App fetches user location on a few occasions.
- At the time of registration
- At the time of self-assessment
- When a user submits their contact tracing data voluntary through the App or
when we fetch the contact tracing data of a user after they have turned COVID-19 positive
2. User can get the COVID—19 stats displayed on Home Screen by changing the radius and latitude—longitude using a script
Response: The radius parameters are fixed and can only take one of the five values: 500 metres, 1km, 2km. 5km and 10km. These values are standard parameters, posted with HTTP headers. Any other value as part of the "distance" HTTP header gets defaulted to 1km.
The user can change the latitude / longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall. and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location's COVID—lg statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.
No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.
We thank this ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately at firstname.lastname@example.org. Your continued support will help us keep the App even more secure.