Singaporean hacker validates security of Indian contact tracking App Aarogya Setu


Even as the privacy activists raise hell with Aarogya Setu App, it becomes one of top downloaded Android App in the world

Ever since the Indian government released their own contact tracing Aarogya Setu to warn Indian citizens about the Coronavirus infected patients near them, it has been in the eyer of the storm. A few weeks earlier a French ethical hacker, Elliot Alderson tweeted about it leaking data which was subsequently trashed by the developers of the App. Now the privacy activists including Alderson want the Indian government to open-source the source code of the App. Especially after the United Kingdom’s NHS contact tracing App was open-sourced.

Now, Singaporean hacker, Frank Liauw has strongly come in support of Aarogay Setu. He has made a Medium Post outlining his findings. In the post, he says that Aarogya Setu’s privacy approach is different from TraceTogether – the contact tracing app of Singapore. He found that Aarogya Setu collects “anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country”.

Why Aarogya Setu is safe?

Frank says that the reasons why Aarogya Setu is safe are that it uses

Aarogya Setu uses managed Amazon Web Services (AWS) for backend support. This allows Aarogya Setu to scale up rapidly in the cloud to support millions of users in India. IT uses two APIs, Elastic Load Balancing for static content and API Gateway products.

  • Aarogya Setu stores data on local servers in Data Centers located in Mumbai which is indicated AP-South-1.
  • Aarogya Setu uses SQLite for on-device record storage.
  • The most distinguishing feature of Aarogya Setu from other contract tracing Apps is its collection of the user’s latitude and longitude information in nearby_devices_info_table.
  • Aarogya Setu stores literal bluetooth_mac_address of neighboring devices. Unlike other contact tracing Apps, Aarogya Setu does not collect device types of neighboring devices. Frank says that Aarogya Setu is fool-proof to SSL (certificate?) pinning to safeguard against MITM (Man-in-the-middle) attacks
  • Aarogya Setu’s biggest security achievement is Application Layer Encryption. Aarogya Setu encrypts every user’s latitude and longitude data in the application using AES-GCM or RSA depending on the Android version prior to sending it over the network. Frank verified the data path from SQLite retrieval through encryption.

Aarogya Setu becomes one of the top downloaded Android App on Google Play

In the meantime, Aarogya Setu became one of the top downloaded non-gaming Android App on Google Play. A Sensor Tower report says that India’s Covid-19 contact tracing app Aarogya Setu notched the seventh spot and is also the fifth most downloaded app on Google Playstore.

Aarogya Setu becomes one of the top downloaded Android App on Google Play

Aarogya Setu has been downloaded by 90 million Indians till May 4. Remember, the Indian government made it mandatory that government and private sector employees use Aarogya Setu App in its fight against the COVID-19 pandemic.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments