News Fyi Why Aarogya Setu app tracks user's location and why it's not a security risk

Why Aarogya Setu app tracks user's location and why it's not a security risk

Aarogya Setu has responded to claims of a potential security issue with respect to monitoring of user's location via the app that has been specifically designed to curb the spread of coronavirus in India. The team responsible for running the app discussed the issue of privacy with an ethical hacker.

Aarogya Setu responds to ethical hacker on questions of potential security issue  Aarogya Setu responds to ethical hacker on questions of potential security issue 

Aarogya Setu has responded to claims of potential security issue with respect to monitoring of user's location via the app that has been specifically designed to curb the spread of coronavirus in India. The team responsible for running the app discussed the issue of privacy with an ethical hacker. "Earlier today, we were alerted by an ethical hacker of a potential security issue of Aarogya Setu. We discussed with a hacker and were made aware of the following," team Aarogya Setu tweeted from the app's official twitter handle.

The hacker reportedly raised concerns of the App fetching user location on a few occasions. To this the Aarogya Setu team responded -- "This is by design and is clearly detailed in the privacy policy. Reproducing the same for everyone's benefit. We fetch a user's location and store on the server in a secure encrypted, anonymized​ manner at the time of registration, at the time of self-assessment and when a user submits their contact tracing data voluntary through the app or when we fetch the contact tracing data of a user after they have turned COVID-19 positive."

Aarogya Setu responds to ethical hacker on questions of potential security issue 

The second concern raised by the hacker was -- User can get the COVID-19 stats displayed on the hom screen by changing the radius and latitude-longitude using a script. Team Aarogya Setu responded to this with a detailed clarification. 

"The radius parameters are fixed and can only take one of the five values: 500 meters, 1km, 2km, 5km and 10km. These values are standard parameters poster with HTTP headers. Any other value as part of the 'distance' HTTP header gets defaulted to 1km. The user can change the latitude/longitude to get the data for multiple locations. The API call though is behind a Web Application Firewall, and hence bulk calls are not possible. Getting data for multiple latitude, longitude this way is no different than asking several people of their locations' COVID-19 statistics. All this information is already public for all locations and hence does not compromise on any personal or sensitive data," the team clarified.