Aarogya Setu is now open-source for developers, govt announces bug bounty programme

Aarogya Setu was released about two months back soon after the covid-19 cases began spiking in India.

Aarogya Setu app has finally become open source for developers as the government looks to quell the privacy and surveillance concerns. The Ministry of Electronics and Information Technology on Monday issued a notice, stating the code for the Arogya Setu Android app has been uploaded on GitHub and will be available for tinkering by developers starting Tuesday, May 26. Meanwhile, the iOS counterpart of the government's covid-19 tracking app will be open-sourced within two weeks. The National Informatics Centre (a part of MeitY) has also announced the bug bounty programme for developers who can find vulnerabilities in the app.

The open-source code of the Aarogya Setu app comes after nearly two months since the release of the app, during which over 114 million users have registered themselves for the government's programme. Although the app has been deemed resourceful by its users, privacy advocates have so far decried the lack of transparency in the app's code, especially after the French hacker discovered one too many security loopholes in the app. The government then responded to the hacker's concerns but the apprehension on using Aarogya Setu app among the users grew by the day, forcing the government to come forward and release the code-set of the app on GitHub.

Post the announcement, French security researcher who goes by Elliot Alderson alias on Twitter said, "This is a very positive news and I'm very happy that the Indian government took this direction. Now, we would like to see what is happening on the server side."

Per the ministry, 98 per cent of Aarogya Setu are using it on the Android platform, which is why the app has been open-sourced before its iOS and KaiOS apps. "Releasing the source code of a rapidly evolving product that is being regularly used by more than 114 million users, is challenging. Developing and maintaining the source code is a huge responsibility, both for Team Aarogya Setu and the developer community. The repository now being shared is the actual production environment. All subsequent product updates will also be made available through this repository," said MeitY in a statement.

The bug bounty programme is aimed at encouraging the Indian developer community to find security flaws in the app and get rewarded Rs 1 lakh. The programme has been organised by the MyGov team, which looks after the delivery of the government's digital programmes to citizens via apps. There is an additional Rs 1 lakh bounty for suggesting improvements in the Aarogya Setu app, the ministry said.