×
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT

No security breach in Aarogya Setu app, govt assures after ethical hacker raises privacy concerns

Last Updated 06 May 2020, 07:59 IST

The team at Aarogya Setu app on Wednesday reiterated that users' data is safe and that there is no security breach in the COVID-19 contact tracing app.

Reacting to an ethical hacker's claim that a security issue has been found in the app, the team said the app is completely safe.

"No personal information of any user has been proven to be at risk and no data or security breach has been identified," the statement from Aarogya Setu App said.

COVID-19 tracking app Aarogya Setu is developed by the National Informatics Centre (NIC) that comes under the Ministry of Electronics and Information Technology (MeitY).

The government made it mandatory to download the app by both the government and private firms employees. The team has issued a detailed statement answering the queries.

Here is the full statement:

Earlier today we were alerted by an ethical hacker of a potential security issue of Aarogya Setu. We discussed with the hacker and were made aware of the following:

1.The App fetches user location on a few occasions.

Response: This is by design and is clearly detailed in the privacy policy. Reproducing the same for everyone’s benefit. We fetch a user’s location and store on the server in a secure encrypted, anonymised manner

- At the time of registration

- At the time of self-assessment

- When a user submits their contact tracing data voluntary through the App or when we fetch the contact tracing data of a user after they have turned COVID-19 positive

2. User can get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script

Response: The radius parameters are fixed and can only take one of the five values: 500 metres, 1km, 2km. 5km and 10km. These values are standard parameters, posted with HTTP headers. Any other value as part of the “distance” HTTP header gets defaulted to 1 km.

The user can change the latitude/longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall and hence bulk calls are not possible. Getting data for multiple latitude longitude this way is no different than asking several people of their location‘s COVID—-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data.

No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.

We thank this ethical hacker on engaging with us. We encourage any users who identify a vulnerability to inform us immediately at gpportaarogyasetu@gov.in. Your continued support will help us keep the App even more secure.

ADVERTISEMENT
(Published 06 May 2020, 04:58 IST)

Follow us on

ADVERTISEMENT
ADVERTISEMENT