The Centre on Tuesday assured that no personal information of any Aarogya Setu user has been at risk in response to an ethical hacker’s claim that he has found security issues in the app.
The ethical hacker who goes by the name Elliot Alderson has claimed that he has found security issues in the app which had hampered the ‘privacy of 90 million Indians.’
He also asked the Indian government to contact him in private in order to solve the security issues of the app.
The tweet shared by the hacker who raised concerns over security issues, reads, “A security issue has been found in your app (Aarogya Setu). The privacy of 90 million Indians is at stake. Can you contact me in private?”
Soon after this, Alderson was contacted by the National Informatics Centre (NIC) and the Indian Computer Emergency Response Team (CERT-In).
As per a statement released by the team of Aarogya Setu, Alderson first claimed that the app fetches user location on a few occasions.
To this, the AarogyaSetu team has responded that this is by design and has been mentioned in the app’s privacy policy.
It also stated that the app fetches a user’s location and store on the server in a secure, encrypted anonymised manner at the time of registration and self-assessment and also when a user submits contact tracing data voluntarily through the app.
Alderson also claimed that users can get the COVID-19 stats displayed on the home screen by using a script to change the radius and latitude-longitude.
To this, the Aarogya Setu team claimed that the radius parameters are fixed and can take only one of the five specified values- 500 m, one km, two km, five km and 10 km.
The team also claimed that the user can change the latitude and longitude to get the data for multiple locations.
However, the API call is behind a Web application due to which bulk calls are not possible, the team stated.
“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our systems. Team AarogyaSetu assures everyone that no data or security breach has been identified,” the team further added.