In a major win for privacy advocates, the Government of India on Tuesday made Aarogya Setu app for Android open source. Its iOS (and KaiOS) code will be open sourced in the coming days as well. This means that researchers and cybersecurity experts will now be able to audit the Aarogya Setu app at their full discretion, helping find potential flaws in India’s first truly comprehensive COVID-19 tracking app, hopefully in a fair and transparent manner.
The Aarogya Setu source code for Android is now available on GitHub and the Government has said that all future app updates will be made through this dedicated repository. The reason why it chose Android to begin with is because over 90% of Aarogya Setu usage apparently comes from Android. The app is also available for iOS, and even for KaiOS-based feature phones like the JioPhone. The iOS and KaiOS source code will also be released soon.
The Government’s move to make Aarogya Setu app open source comes just days after it updated the app’s privacy policy allowing developers to reverse engineer it to detect flaws in the system. The Government now also allows anyone to report bugs (if any) in Aarogya Setu under its own bug bounty program with a cash prize of Rs 1 lakh up for grabs.
All of this should go a long way in silencing critics who have been asking the Government to open source Aarogya Setu for sometime now. Concerns only grew further after an anonymous French hacker who goes by the name of Elliot Alderson on Twitter discovered a security issue (two, in fact) in the Aarogya Setu app that could allegedly have put the privacy of millions of Indians at stake. Being an ethical hacker, Alderson had flagged the issue to India’s Computer Emergency Response Team (CERT) and the National Informatics Centre (NIC) in early May.
Alderson had taken to Twitter to claim that he had discovered a security issue in the Aarogya Setu app and asked the Government to contact him in private, so the hacker could disclose it to the authorities. The Government contacted the hacker soon enough and the issue was disclosed to them. The Government came out with a detailed response to the hacker’s claims soon after, ensuring users that all was well with Aarogya Setu.
Alderson isn’t the only one to have raised alarm over privacy issues in the Aarogya Setu app. New Delhi-based Software Freedom Law Centre has alleged that the app collects sensitive user data such as a user’s gender and travel history, The Internet Freedom Foundation (IFF) has also alleged that Aarogya Setu lacks transparency.
As per Government’s fresh stats, the Aarogya Setu app has been downloaded by 110 million users as of May 21, 2020.