Aarogya Setu app is Indian COVID-19 tracking mobile application developed by the National Informatics Centre and that comes under the government Ministry of Electronics and Information Technology. The stated purpose of this app is to spread awareness of COVID-19 and to connect essential COVID-19 – related health services to the people of India. This app augments the initiatives of the Department of Health to contain COVID-19 and shares best practices and advisories. It is a tracking app which uses the smartphone’s GPS and Bluetooth features to track the coronavirus infection.
Few days ago, a french hacker Robert Baptiste who handles the popular twitter account Elliot Anderson warned the Indian government by saying that there are security issues with the app. “A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” his tweet read.
Responding to this tweet, a reply tweet was posted by the government of India through Arogya Setu official ID. It claimed that the app is safe for the users and could not be hacked.
However, these claims of the government has been proven false by a software engineer from Bangalore known as Jay. According to sources, the app stands hacked right now by Jay right now. The software engineer allegedly said that he was looking for ways to avoid installing the app in his phone, result of which he decided to sit down and rip it apart to prove how flawed the app is.
“I didn’t like the fact that installing this app is slowly becoming a mandatory in India.” he said to the media. “My concern is just like Aadhar, soon you won’t be able to go to a restaurant or a movie theatre without having the Arogya Setu app installed. Even if the government doesn’t make in mandatory, owners of the firms are going to impose it on you. That’s the kind of culture we have” he added. At first, Jay managed to bypass the code for registration and avoided entering his phone number in the app. He started working on the app around 9 AM, says reports.
Further Jay did some pruning and managed to get through the page that requested personal informations such as age, gender, name, travel history and even COVID 19 symptoms. He even accessed the app without allowing the app to access his Bluetooth and GPs, two of the main tools for the app to work in a phone.
By 1 PM, Jay managed to use the app without giving any of his details and marked himself “safe” through the app, despite of giving no permission for it to run on his phone. Many people find it very easy to revoke the app as well.
I revoked the Aarogya Setu app’s location and Bluetooth permissions and it tells me I am still safe, so 🤷🏽♂️ pic.twitter.com/G4CkO9zWTB— ¯\_(ツ)_/¯ (@PranavDixit) May 2, 2020
Though the government assured that the data collected while installing Arogya Setu app will be used only for COVID 19 related purposes, this incident made us to step back a little from the app. It seems anybody could show a fake result which completely breaks the purpose of having the app on our phone. Government is yet to release a statement regarding this !!