While the debate over why India’s mandating its citizens to install the Aarogya Setu app is continuing, an interesting story just evolved regarding the privacy concerns of using it. A hacker in Twitter on the name of Elliot Alderson has just detailed how the Aarogya Setu app is leaking the app data, which consists of a number of details regarding the count of people being infected, unwell, tested and using the app around you. By inserting some functions, he claims anyone can know who is infected anywhere in India, in the area of his choice!
Aarogya Setu Hack
The COVID-19 contact tracing app of India, Aarogya Setu is infamous for being pushy by the ruling government, and accusations from opposing parties for being a surveillance tool. While the politicians are engaged in a dog fight over this, a hacker named Elliot Alderson, who previously uncovered the weak security of India’s Aadhaar system, has now come up again with the same claims in Aarogya Setu app!
Flaws Letting Internal Access
As per his medium blog post, he detailed how anyone can know the precise location of an infected person anywhere in India, from anywhere. He first uncovered a bug issue on April 3rd, just two days after the app was launched. This is regarding a WebViewActivity that’s more concerned with web pages. But, a deeper analysis reveals it can trigger the dialer and pre-dial a number.
It can be considered as a security issue ???? pic.twitter.com/A1Rj44m2me — Elliot Alderson (@fs0c131y) April 3, 2020
