Fact Checks & Myth Busts – Is the Aarogya Setu App Safe to Use?

As India is fighting the deadly COVID-19, it’s notable that the Government has fallen in step with other countries in the development and enforcement of a COVID-19 mobile contact tracer, the Aarogya Setu application.

Nevertheless, all through India, dialogues are being exchanged as to whether the app is secure to use or if it is just a means of spying on the citizens of the Indian nation.

To address this crucial issue, at Appknox we’ve run a security test on the Aarogya Setu app. The findings of the same have been compiled below. Before that, we’d like to take your attention to the review from the MIT Researchers:

“Many countries are developing limited services that use Bluetooth or GPS to give ‘exposure notifications’ to people who have interacted with someone found to have COIVD-19. India’s app, though, is a massive all-in-one undertaking that far exceeds what most other countries are building."

That said let’s explore the working methodology of India’s COVID-19 tracker app, the Aarogya Setu.

 

The Work Flow of Aarogya Setu App 

In its simplest form, the Aarogya Setu is an application that has been developed to notify the users if they are near corona-virus positive patients. Since it’s a geography-based application, it would request access to the user’s location at all times, in addition to Bluetooth access.

Upon installation, the app would collect all basic information about the user. This would include details like age, name, gender, health status, and history of foreign visits. In case the user is a doctor, details about exposure to COVID-19 patients would also be collected.

But the workflow of the Aarogya Setu application is not limited to the above narration. Many technical factors are running behind the application’s user-friendly interface. We’ll expose them with utmost simplicity for your benefit.

Collection of Data 

At the time of registration, the user enters the basic information to facilitate the process of persona building. But the application does not allow users to change any of their previously shared basic information.

The application directly sends the details to the server. So, none of the details is stored in the device, rather in the server alone.

Collection of data

 

Bluetooth Access and WebView 

The Aarogya Setu app functions well only when its users share their locations and allow access to their Bluetooth.

image4-3

 

With WebView, the Aarogya Setu mobile application is run as a web application too. This is greatly useful as the application needs to embed web content like maps to guide the users with proximity details of the COVID-19 affected patients.

This is the basic interface of the app. To change language and other things, the app uses a JavaScript Interface Bridge. The image below is the source code of the interface. It shows how the native Java functions are used to call the basic interface into place.

image5-2

 

Encryption and Data Storage

As we did our research, we found that the Aarogya Setu app uses AES/ECB encryption. Although all applications should use AES/CBC encryption over AES/ECB, the Aarogya Setu app is still secure for use.

We figured out the app uses encryption AES/ECB encryption from a library developed by google tink library (https://github.com/google/tink) which is good, uses it to store application state data such as the language selected and other parameters but no PII(Personally identifiable information) data. Since it was not PII we did not perform more in-depth testing on these data.We got the encryption key as seen in the Appknox Report(Screenshot below), but data is not sensitive so it doesn't really matter.

null

 

This is because only the application state data such as the language preferred and similar parameters are stored. No PII data is stored. And since the collected and stored information is not sensitive, using AES/ECB encryption does not matter.

Follow the pointers below for a better understanding of the encryption techniques.

· Advanced Encryption Standard (AES): The US government uses this block cipher as its encryption standard for its government and military purposes

· Electronic Codebook (ECB): This is the basic form of the AES block cipher encryption

· Cipher Blocker Chaining (CBC): This is the most complicated form of block cipher encryption. With CBC, all the ciphertext blocks are made dependent on the plaintext blocks that have been processed up to this stage.

The image below shows how a simple image of a penguin can be encrypted through the aforementioned techniques.

Encryption techniques

         Source : Wikipedia   

                                                                

Every Account is Mapped to Device ID With a Token

The token does not expire and should expire or else it is a security misconfiguration but does not leak PII.

A refresh token is generated and validated without any security issue, you can see auth token in the below screenshot.

auth token

For iOS ATS
iOS ATS (Application Transport Security) protection improves privacy and data integrity for all apps and app extensions. There is a security misconfiguration that needs to be fixed. But this issue also does not lead to any data loss.

image2-4

This is also a low-level issue and can be fixed by changing NSAllowsArbitraryLoads to No.

 

Geolocation Functionality

Application has the functionality to check COVID-19 cases around as shown below:

image9-2

The API related to this looks like this:

Auth

 

As mentioned by the Aarogya Setu team on twitter (https://twitter.com/SetuAarogya/status/1257755315614801921?s=20) even if you update the dist parameter to arbitrary number it defaults back to 1 KM. Also, this gives details of infected and unwell people around which is the motive behind the app so we don’t think there is any security issue in it.

Account Mapping 

The accounts of the Aarogya Setu app users are mapped to their device ids with tokens. Generally, these tokens are programmed to expire. But the tokens of the Aarogya Setu app does not expire. This demonstrates a security misconfiguration, although it does not leak the PII data.

A refresh token is generated and validated for the Aarogya Setu app, without any security issue. So, this issue could be rectified without losing any data.

As far as iOS devices are concerned, with an ATS (Application Transport Security), the Aarogya Setu mobile app can be connected to the servers through HTTPS protocol, instead of HTTP, for better protection.

 

Geolocation Functionality

By accessing the users’ mobile locations, the Aarogya Setu app checks for COVID-19 patients around their vicinity. It’s illustrated in the image below.

This is what you see while using the Aarogya Setu app. But its Application Programming Interface (API) looks different. Take a look below:

To determine whether a user is safe, the Aarogya Setu app users five buffers: 500 meters, 1 km, 2 km, 5 km, and 10 km. Any other distance that’s entered by the user will be brought to a default value of 1 km. This way, even as the user is kept on alert, the privacy of the affected will not be breached.

Now that you know the technical nitty-gritty behind the Aarogya Setu app, you might ponder about its security scores. We’ve got you covered on that too!

 

Appknox’ Findings – Security Score of Aarogya Setu App 

We conducted a security assessment of the 1.1.1 version of the Android platform Aarogya Setu App. We ran both automated and manual auditing processes for the same. In our report, you can find elaborate discussions on the vulnerabilities with ways to remediate them.

Now that we have the legit proof of the security standings of the Aarogya Setu app, we’d bust the two most prevalent myths around the application by illuminating the facts.

Facts vs Myths 

A French cybersecurity analyst Robert Baptiste, under his Twitter pseudonym, Elliot Alderson, has been destroying the trust of a majority of the Indians in the Aarogya Setu app.

We wish to put you on the right track, by revealing to you the myths asserted by the cyber analyst against the transparent and truthful response of the Aarogya Setu IT team.

 

Myth 1 – “The App fetches user location on a few occasions” 

 

Fact: 

The design of the Aarogya Setu app is such that it collects user location, and details of it have been clearly stated in the Privacy Policy. The application collects the location data at the time of registration, self-assessment, and submission of voluntary contact tracing data. The collected data is then stored in an encrypted and anonymized manner in the server.

 

Myth 2 – “User can get the COVID—19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script” 

 

Fact: 

The radius buffers have been limited to five values, as mentioned earlier. These standard values are posted with HTTP headers. Even if any user enters another value, the distance will be directed to the default value of 1km.

As asserted by the hacker, the user can indeed fetch data for multiple locations by changing the coordinates. Nevertheless, the API enforced in the Aarogya Setu application prevents such bulk calls from being processed.

So, there is absolutely no way for one user to procure the COVID-19 statistics by simply changing the coordinates.

That said, the claims of french researcher are futile. He was unable to prove the privacy risk of any user using the Aarogya Setu app. So, rest assured, you are safe. None of your confidential and sensitive information is out in the open, everything is secure.

The Word 

There might indeed be certain security misconfigurations in the Aarogya Setu app, but none of which pose great threats. Into the bargain, we never found any evidence for the PII data breach in our security assessment.

We strongly believe Aarogya Setu app is the Indian government’s approach to providing the right information during the uncertain times of the COVID pandemic. Nevertheless, based on our findings, the following low and medium level safety issues of the Aarogya Setu can be rectified,

· Implementation of ATS in iOS devices

· Non-expiration of tokens

· Usage of SSL Pinning instead of encryption

· Using AES/CBC encryption instead of AES/ECB encryption

Yet, even without these rectifications, the application is still secure to use, and you don’t have to fear privacy intrusion.

 

 

Published on May 13, 2020
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is a serial entrepreneur, passionate about end-to-end mobile app security. As a Microsoft Venture Accelerator alumni and CEO of Appknox, he works with enterprises globally ranging from some of the top Fintech companies to Fortune 100 businesses in setting up continuous mobile application security processes.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now