As India is fighting the deadly COVID-19, it’s notable that the Government has fallen in step with other countries in the development and enforcement of a COVID-19 mobile contact tracer, the Aarogya Setu application.
Nevertheless, all through India, dialogues are being exchanged as to whether the app is secure to use or if it is just a means of spying on the citizens of the Indian nation.
To address this crucial issue, at Appknox we’ve run a security test on the Aarogya Setu app. The findings of the same have been compiled below. Before that, we’d like to take your attention to the review from the MIT Researchers:
“Many countries are developing limited services that use Bluetooth or GPS to give ‘exposure notifications’ to people who have interacted with someone found to have COIVD-19. India’s app, though, is a massive all-in-one undertaking that far exceeds what most other countries are building."
That said let’s explore the working methodology of India’s COVID-19 tracker app, the Aarogya Setu.
The Work Flow of Aarogya Setu App
In its simplest form, the Aarogya Setu is an application that has been developed to notify the users if they are near corona-virus positive patients. Since it’s a geography-based application, it would request access to the user’s location at all times, in addition to Bluetooth access.
Upon installation, the app would collect all basic information about the user. This would include details like age, name, gender, health status, and history of foreign visits. In case the user is a doctor, details about exposure to COVID-19 patients would also be collected.
But the workflow of the Aarogya Setu application is not limited to the above narration. Many technical factors are running behind the application’s user-friendly interface. We’ll expose them with utmost simplicity for your benefit.
Collection of Data
At the time of registration, the user enters the basic information to facilitate the process of persona building. But the application does not allow users to change any of their previously shared basic information.
The application directly sends the details to the server. So, none of the details is stored in the device, rather in the server alone.
Bluetooth Access and WebView
The Aarogya Setu app functions well only when its users share their locations and allow access to their Bluetooth.
With WebView, the Aarogya Setu mobile application is run as a web application too. This is greatly useful as the application needs to embed web content like maps to guide the users with proximity details of the COVID-19 affected patients.
Encryption and Data Storage
As we did our research, we found that the Aarogya Setu app uses AES/ECB encryption. Although all applications should use AES/CBC encryption over AES/ECB, the Aarogya Setu app is still secure for use.
We figured out the app uses encryption AES/ECB encryption from a library developed by google tink library (https://github.com/google/tink) which is good, uses it to store application state data such as the language selected and other parameters but no PII(Personally identifiable information) data. Since it was not PII we did not perform more in-depth testing on these data.We got the encryption key as seen in the Appknox Report(Screenshot below), but data is not sensitive so it doesn't really matter.
This is because only the application state data such as the language preferred and similar parameters are stored. No PII data is stored. And since the collected and stored information is not sensitive, using AES/ECB encryption does not matter.
Follow the pointers below for a better understanding of the encryption techniques.
· Advanced Encryption Standard (AES): The US government uses this block cipher as its encryption standard for its government and military purposes
· Electronic Codebook (ECB): This is the basic form of the AES block cipher encryption
· Cipher Blocker Chaining (CBC): This is the most complicated form of block cipher encryption. With CBC, all the ciphertext blocks are made dependent on the plaintext blocks that have been processed up to this stage.
The image below shows how a simple image of a penguin can be encrypted through the aforementioned techniques.
Source : Wikipedia
Every Account is Mapped to Device ID With a Token
The token does not expire and should expire or else it is a security misconfiguration but does not leak PII.
A refresh token is generated and validated without any security issue, you can see auth token in the below screenshot.
For iOS ATS
iOS ATS (Application Transport Security) protection improves privacy and data integrity for all apps and app extensions. There is a security misconfiguration that needs to be fixed. But this issue also does not lead to any data loss.
This is also a low-level issue and can be fixed by changing NSAllowsArbitraryLoads to No.
Application has the functionality to check COVID-19 cases around as shown below:
The API related to this looks like this:
As mentioned by the Aarogya Setu team on twitter (https://twitter.com/SetuAarogya/status/1257755315614801921?s=20) even if you update the dist parameter to arbitrary number it defaults back to 1 KM. Also, this gives details of infected and unwell people around which is the motive behind the app so we don’t think there is any security issue in it.
The accounts of the Aarogya Setu app users are mapped to their device ids with tokens. Generally, these tokens are programmed to expire. But the tokens of the Aarogya Setu app does not expire. This demonstrates a security misconfiguration, although it does not leak the PII data.
A refresh token is generated and validated for the Aarogya Setu app, without any security issue. So, this issue could be rectified without losing any data.
As far as iOS devices are concerned, with an ATS (Application Transport Security), the Aarogya Setu mobile app can be connected to the servers through HTTPS protocol, instead of HTTP, for better protection.
By accessing the users’ mobile locations, the Aarogya Setu app checks for COVID-19 patients around their vicinity. It’s illustrated in the image below.
This is what you see while using the Aarogya Setu app. But its Application Programming Interface (API) looks different. Take a look below:
To determine whether a user is safe, the Aarogya Setu app users five buffers: 500 meters, 1 km, 2 km, 5 km, and 10 km. Any other distance that’s entered by the user will be brought to a default value of 1 km. This way, even as the user is kept on alert, the privacy of the affected will not be breached.
Now that you know the technical nitty-gritty behind the Aarogya Setu app, you might ponder about its security scores. We’ve got you covered on that too!
Appknox’ Findings – Security Score of Aarogya Setu App
We conducted a security assessment of the 1.1.1 version of the Android platform Aarogya Setu App. We ran both automated and manual auditing processes for the same. In our report, you can find elaborate discussions on the vulnerabilities with ways to remediate them.
Now that we have the legit proof of the security standings of the Aarogya Setu app, we’d bust the two most prevalent myths around the application by illuminating the facts.
Facts vs Myths
A French cybersecurity analyst Robert Baptiste, under his Twitter pseudonym, Elliot Alderson, has been destroying the trust of a majority of the Indians in the Aarogya Setu app.
We wish to put you on the right track, by revealing to you the myths asserted by the cyber analyst against the transparent and truthful response of the Aarogya Setu IT team.
Myth 1 – “The App fetches user location on a few occasions”
Myth 2 – “User can get the COVID—19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script”
The radius buffers have been limited to five values, as mentioned earlier. These standard values are posted with HTTP headers. Even if any user enters another value, the distance will be directed to the default value of 1km.
As asserted by the hacker, the user can indeed fetch data for multiple locations by changing the coordinates. Nevertheless, the API enforced in the Aarogya Setu application prevents such bulk calls from being processed.
So, there is absolutely no way for one user to procure the COVID-19 statistics by simply changing the coordinates.
That said, the claims of french researcher are futile. He was unable to prove the privacy risk of any user using the Aarogya Setu app. So, rest assured, you are safe. None of your confidential and sensitive information is out in the open, everything is secure.
There might indeed be certain security misconfigurations in the Aarogya Setu app, but none of which pose great threats. Into the bargain, we never found any evidence for the PII data breach in our security assessment.
We strongly believe Aarogya Setu app is the Indian government’s approach to providing the right information during the uncertain times of the COVID pandemic. Nevertheless, based on our findings, the following low and medium level safety issues of the Aarogya Setu can be rectified,
· Implementation of ATS in iOS devices
· Non-expiration of tokens
· Usage of SSL Pinning instead of encryption
· Using AES/CBC encryption instead of AES/ECB encryption
Yet, even without these rectifications, the application is still secure to use, and you don’t have to fear privacy intrusion.