By Arré Bench May. 13, 2020
It took a Bangalore software engineer merely four hours to bypass all the pages that requested personal information, and turned the Aarogya Setu app into a “harmless shell, collecting no data”. It still marked him as “safe” after.
The Aarogya Setu app has been subject to intense scrutiny ever since a police order in Noida, and a circular issued by the Railways has indicated that it may soon be mandatory on all phones in the country.
Now, the contact-tracing app, which was launched last month and downloaded a record 50 million times in 13 days, has apparently been hacked by a Bangalore-based software engineer, just hours after the government said it couldn’t be hacked.
According to a report in Buzzfeed News, it took the software engineer merely four hours to bypass all the pages that requested personal information, and turned the app into a “harmless shell, collecting no data”. It still marked him as “safe” after.
For days, Jay watched with mounting alarm as people in India were forced to install the government’s coronavirus contact tracing app. Then, he rolled up his sleeves and ripped its guts out.
New from me: Indians are finding workarounds to Aarogya Setu.https://t.co/794LXFE8Ng
— ¯\_(ツ)_/¯ (@PranavDixit) May 12, 2020
“That was my goal,” he was quoted as saying. “I succeeded. You can show the green badge to anyone if they ask to check your phone and they won’t be able to tell.”
Last week, the French hacker who goes by “Elliot Alderson” on Twitter, and last made headlines in the country for exposing faults in the Aadhar app, had tweeted that he had discovered a possible security issue in the app. He tagged both the Aarogya Setu’s official handle, and Rahul Gandhi, who he indicated “was right”.
A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?
PS: @RahulGandhi was right
— Elliot Alderson (@fs0c131y) May 5, 2020
Congress MP Rahul Gandhi had earlier called the Aarogya Setu app a “sophisticated surveillance system” that raised serious data security and privacy concerns.
The Aarogya Setu handle responded to both allegations, by insisting that it was impossible to hack the app.
— Aarogya Setu (@SetuAarogya) May 5, 2020
Unfortunately for them, it seems to have taken the Bangalore hacker very little time to pull it off.
As we enter the next phase of lockdown, it’s seeming more likely that extensive contact tracing is one of the only ways we’ll be able to keep ourselves safe from the coronavirus. So as the app becomes mandatory for more of us, let’s hope ethical hackers continue to keep Aarogya Setu on its toes.