- The hacker claimed that the privacy of 90 million Indian users is at stake due to a security vulnerability found in the app.
- The Aarogya Setu team shared an official statement on Twitter and said that they have discussed how the app collects location and information
- They said in their statement that "no personal information of any user has been proven to be at risk by this ethical hacker”.
A day after an ethical hacker claimed that the government-backed Aarogya Setu app has privacy issues, the developers of India's contact-tracing app have issued a statement clarifying its functionalities. The hacker claimed that the privacy of 90 million Indian users is at stake due to a security vulnerability found in the app.
The Aarogya Setu team shared an official statement on Twitter and said that they have discussed how the app collects location and information. They said in their statement that "no personal information of any user has been proven to be at risk by this ethical hacker" and there was "no data or security breach."
In their statement, the government said that they fetch a user's location and store on a server in a secure, encrypted and anonymized manner at the time of registration and self-assessment. They said that the user submits his contact tracing data voluntarily on the app.
In response to the hacker's claim that the" users an get the COVID-19 stats displayed on Home Screen by changing the radius and latitude and longitude", the government said that "the radius parameters are fixed and can only take one of the few values: 500 meters, 1km, 2km, 5km, and 10km. These values are standard parameters posted with HTTP headers."
However, the hacker didn't seem too pleased with the clarification issued by the government. He then tweeted saying, "Basically, you said "nothing to see here"We will see. I will come back to you tomorrow."
The ethical hacker who goes by the name Elliot Alderson had alerted the government on Tuesday about the flaws in the app. He even asked them to get in touch with him privately. However, hours after tweeting Alderson then warned the government that if they don't fix the flaw, he will disclose all the vulnerabilities to the public.
The Aarogya Setu app was designed to curb the spread of coronavirus in India. It was downloaded 80 million times within days and the numbers have only gone up. The app was heavily promoted by the government and Prime Minister himself. In some places, it is being made mandatory for people to download the app, for instance, the central government employees have been asked to download the app and even some companies like Zomato and Urban Company have made it mandatory for all their employees.
Just yesterday, it was announced that anyone roaming around in Noida without having the app on his phone will be penalized and can even face the jail for 6 months.