Aarogya Setu , India’s coronavirus ( COVID-19 ) contact-tracing and self-assessment app is now open source . The COVID-19 app, which supports 12 languages, is available on three platforms – Android, iOS and KaiOS (Jio Phones). The app reached the mark of 100 million (10 crore) downloads in 41 days. It had more users than any other contact-tracing app in the world as on May 26, 2020, as per a statement by the Ministry of Electronics and Information Technology (MeitY).
Health Ministry launches Aarogya Setu IVRS facility for those without smartphones
The Aarogya Setu app is used on Android phones by 98% of the registered users, and the source code for the Android app is currently available on GitHub, a collaboration platform for software developers, where code can be developed or reviewed collaboratively. Both the iOS and KaiOS source codes will be released over a period of time, starting with the iOS version, which will be available as open source within the next two weeks, according to the statement.
The code is available on GitHub at https://github.com/nic-delhi/AarogyaSetu_Android. At the time of writing, the code already had 70 ‘pull requests’ or changes that people have suggested for the code.
Coronavirus | What are the concerns around the Aarogya Setu app?
Making the source code of the app available to the public allows experts and researchers to review and detect vulnerabilities. The more the developers analysing the code, the easier it may be to spot problems or issue with the code. The reliability quotient could also go up as more people are using it, testing it, and fixing bugs. On the flip side, open sourcing could also expose the vulnerabilities to hackers.
The government also launched a Bug Bounty Programme for security researchers and the Indian developer community to identify vulnerabilities and improve the code. There are three different categories of vulnerabilities through which the code could be breached and a ₹1-lakh cash prize for each of these categories has been announced.
“While making the code open source, Government of India also seeks the developer community to help identify any vulnerabilities or code improvement in order to make Aarogya Setu more robust and secure,” the statement read.
Data | How safe is Aarogya Setu compared to COVID-19 contact tracing apps of other countries?
Prior to the announcement on making the app open source, there was a change in the terms of service and privacy policy of the app, removing restrictions on tampering and reverse-engineering. Under the earlier terms, reverse-engineering was explicitly prohibited.
The Android version of the app requests multiple permission, and has access to user’s location using the phones network and GPS. In addition, it receives data from internet, prevents device from sleeping, runs at startup, and has full network access, as listed under the permissions tab of the app.
The Aarogya Setu Android app privacy policy states that, information collected during the app registration such as name, phone number, age, sex, profession, and countries visited in the last 30 days, is stored securely on a server operated and managed by the Government of India.
During the media briefing, Ajay Prakash Sawhney, Secretary, MeitY said, “Even though that bill (The Personal Data Protection Bill 2019) is still in Parliament, we have actually implemented the principles of personal data privacy in designing this app.”
The Hindu had earlier reported security issues highlighted by Robert Baptiste, a cybersecurity expert and ethical hacker, who goes by the name Elliot Alderson.
The Aarogya Setu team in response to Alderson, said in a statement, “No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team Aarogya Setu assures everyone that no data or security breach has been identified.”
According to the MeitY statement, the platform has reached out to more than 9,00,000 users and advised them for quarantine, caution or testing. Amongst those who were recommended for testing for COVID-19, it has been found that almost 24% of them have been found COVID-19 positive. The overall COVID-19 positive rate is around 4.65%, as on May 26.
