The government on Wednesday said no data or security breachhas been identified in Aarogya Setu after an ethical hacker raised concernsabout a potential security issue in the app.
The app is the government’s mobile application for contacttracing and disseminating medical advisories to users in order to contain thespread of COVID-19.
On Tuesday, a French hacker and cyber security expert ElliotAlderson had claimed that “a security issue has been found” in theapp and that “privacy of 90 million Indians is at stake”.
Dismissing the claims, the government said “no personalinformation of any user has been proven to be at risk by this ethicalhacker”.
“We are continuously testing and upgrading our systems.Team Aarogya Setu assures everyone that no data or security breach has beenidentified,” the government said through the app’s Twitter handle.
The tweet gave point-by-point clarification on the red flagsraised by the hacker.
“We discussed with the hacker and were made aware ofthe following… the app fetches user location on a few occasions,” itsaid, but added that this was by design and is clearly detailed in the privacypolicy.
The app fetches users’ location and stores on the server ina secure, encrypted, anonymised manner – at the time of registration, at thetime of self assessment, when users submit their contact tracing data voluntarythrough the app or when it fetches the contact tracing data of users after theyhave turned COVID-19 positive, it said.
On another issue that users can get COVID-19 stats displayedon the home screen by changing the radius and latitude-longitude using ascript, Aarogya Setu said that all this information is already public for alllocations and hence does not compromise on any personal or sensitive data.
“We thank the ethical hacker on engaging with us. Weencourage any users who identify a vulnerability to inform usimmediately…,” it said.
Responding to Aarogya Setu’s clarification, Aldersontweeted, “I will come back to you tomorrow”.