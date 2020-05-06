SOPA Images via Getty Images In this photo illustration Aarogya Setu logo seen displayed on a smartphone.

French cyber security researcher and ethical hacker Baptiste Robert, who goes by the name Elliot Alderson online, mocked the Indian government’s response to security issues raised by him regarding the Aarogya Setu app.

Alderson had on Tuesday night pointed out that the app, used by the government for contact tracing of COVID-19 patients, had risked the privacy of 90 million Indians.

While the government denied there had been any privacy breach, Alderson said that an issue that had previously allowed him to access any internal file on the app had been quietly fixed.

The first time I analysed @SetuAarogya it was 1 month ago. With 1 command line it was possible to open any internal file of the app. It's no more possible on the latest version. They fixed this issue silently. https://t.co/MVKc4wOSA9 — Elliot Alderson (@fs0c131y) May 6, 2020

He also said he had been check who is infected, unwell and had made a self assessment in the area of his choice. “Basically, I was able to see if someone was sick at the PMO office or the Indian parliament. I was able to see if someone was sick in a specific house if I wanted,” he said.

And yes, yesterday:

- 5 people felt unwell at the PMO office

- 2 unwell at the Indian Army Headquarters

- 1 infected people at the Indian parliament

- 3 infected at the Home Office



Should I continue? — Elliot Alderson (@fs0c131y) May 6, 2020

The government had late Tuesday night responded to tweets by Alderson after he asked the app’s team to contact him, adding in postscript that Congress leader Rahul Gandhi had been right.

Hi @SetuAarogya,



A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?



Regards,



PS: @RahulGandhi was right — Elliot Alderson (@fs0c131y) May 5, 2020

Gandhi had last week called the app “a sophisticated surveillance system, outsourced to a private operator, with no institutional oversight - raising serious data security and privacy concerns.”

Within an hour of his tweet, Alderson said he had been contacted by the Ministry of Electronics & Information’s Computer Emergency Response Team and the National Informatics Centre.

The government later tweeted out a statement saying “no personal information has been proven to be at risk” and that there had been no security or data breach.

One of the issues pointed out by Alderson included the app’s use of a user’s location. The government, in its response, said that the data on user’s location was stored on a server in a “secure, encrypted, anonymised manner”.

The government also claimed that the location of the user is accessed at the time of registration, self-assessment, when the user submits contact-tracing data “voluntarily” and when the app fetches data after a user tests positive for COVID-19.

The app was recently made mandatory not just for individuals in containment zones, but for all government officials.

You can read the app team’s full statement below:

Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom — Aarogya Setu (@SetuAarogya) May 5, 2020

Alderson was less than satisfied with the government’s response.

To a tweet asking he whether he thought the security issue was intentional and by design, Alderson replied “yes”.

Yes — Elliot Alderson (@fs0c131y) May 5, 2020

The ethical hacker has previously pointed out security breaches in Aadhaar.

Communications and Information Technology Minister Ravi Shankar Prasad told the Economic Times on Wednesday that the app was “completely Covid-centric” and “secure”.