We would like to thank Akshay S. Dinesh and Anivar A Aravind for assisting our team with the technical analysis.
Aarogya Setu (hereinafter “Aarogya Setu” or “the App”) is an “intelligent solution for contact tracing”promoted by the Ministry of Electronics & Information Technology (hereinafter “the MeitY”).It was launched in public-private-partnership modewith contributions of volunteers from industry actors including GoIbibo, 1mg, and others.
Aarogya Setu handles sensitive data of millions of Indian citizens. Various ad-hoc rules make it difficult for citizens to refuse installing the app thereby making it de-facto mandatory. There has been a call for transparency regarding the management of data from the very beginning.There has been specific request made to stick to the government policy of adoption of open-source and to release the source code of Aarogya Setu app and its backend services that manage health data, user accounts, etc. This would have been a welcome step to bolster the trust of people on the application and to alleviate their concerns regarding private actors being able to gather data on citizens.
The government open-sourced Aarogya Setu’s Android application along with a press release on May 26th, 2020and a similar announcement regarding the iOS version of the App was made on August 14th, 2020.
In both these releases, only the client-side application source code (for Android and iOS, respectively) were released. While analyzing these, one can observe that the primary function of the phone application is to allow citizens to register with their phone number and then to enable Bluetooth based proximity detection linked to the registration through collection of Bluetooth interaction data. Once the citizen has completed the on-boarding, they are presented with a “webview” that loads the URL https://web.swaraksha.gov.in/ncv19 like a web browser. It is through the website that the features like risk status, self-assessment, e-Pass, etc work. The website in-turn communicates with various API endpoints for these functionalities.
You can read our technical and security analysis of the phone app here. Our team also discussed the Aarogya Setu open-sourcing which can be viewed on our YouTube channel here.
Since the features related to how data is stored and maintained can only be understood by looking at the source code that powers these upstream API, there was immediate response from many stakeholders regarding the need to release all source code related to Aarogya Setu project, especially the backend code that handles sensitive citizen data.
On November 20th, 2020, 6 months after releasing the Android client side code, the Ministry of Electronics & Information Technology issued a press release titled "Backend Code of Aarogya Setu released in Open Domain.”This is as per “the policy of Government of India to share all code repositories with developer community” as stated previously.
· Snippets of Backend Code
Considering that the critical need for transparency is in the parts that manage citizen data, releasing the complete backend code would have accomplished the stated aim of commitment to complete transparency. In our analysis we discovered, like others, that the snippet of code that was released is by no means all of the code that runs the backend servers of Aarogya Setu application. We share some of the notable points from our analysis below.
1. The code released on 20th November does contain code that corresponds to the frontend of the website web.swaraksha.gov.in/ncv19
As mentioned above, this is the website that is loaded in the webview of the apps. The code in the “pages” and “components” foldersutilize “Preact” which is a web UI framework similar to React. The URLs in “routes” folder correspond to the URLs on web.swaraksha.gov.in like https://web.swaraksha.gov.in/ncv19/epass and https://web.swaraksha.gov.in/ncv19/icmr
Similarly, the “assets” folder contains images that are displayed to the citizen through the app.
2. The code released also contains code that lets the website interact with the application through the webview
The “app-bridge” folder contains code that allows the website to hook into the application installed on citizens’ phones, to exchange data. (Note that in addition to this, the Aarogya Setu application installed on devices can directly communicate with the upstream servers and vice versa.)
3. Some of the libraries/modules that the code depends on have not been released
Some of the functionality of the code that has been released is through usage of the libraries named following:
@ibibo/newrelice-instance depends on the package “newrelic”which is the nodejs library for the application performance monitoring and observability platform “New Relic” based out of San Francisco.
We cannot be sure that the dependencies mentioned in the code snapshot is the same as the ones we discovered above. Therefore, there is no way for us to deduce the functionality that these libraries add to the Aarogya Setu ecosystem.
4. Very little of the released code is meant to run on the backend
Among 509 files in the code base, only 5 files in the “api” folder are meant to run on the backend. This amounts to about 87 lines (~1%) of the 7425 lines of code in the released code snapshot. The rest of the code is “frontend” code designed to be sent to and executed on the devices of users through the webview.
5. The code that is meant to run in the backend does very little of backend functionality
The code in the “api” folder is designed to interface with two upstream servers. According to the “prod” configuration specified in “env” folder, these could be https://fp.swaraksha.gov.in and https://webapi.swaraksha.gov.in
These addresses point to Amazon Web Services IP addresses. The code that powers these upstream services are not included in the code released.
No released code in the “api” folder or the rest of the code snapshot does typical “backend” functionality like authentication and authorization, interacting with database, and data aggregation and querying.
For example, the screenshot below shows the contents of the path “src/utils/delete-account-middleware.server.js”
Although the name indicates that this is a “middleware server” for account deletion, the code does not implement such a functionality.
There is no reference to a database anywhere in the released code. Neither is the database schema or database definition files included.
6. The code released cannot be run
The application code released earlier, for example that of the Android application, could be compiled independently and executed by researchers.But the code released now has no scripts related to launching, running, or executing them. For instance, the “scripts” section of package.json(which is where nodejs projects typically include such deployment scripts) includes only one item - “test” (which is configured to print "Error: no test specified" and exit with an error code).
There is no accompanying documentation which describes how these files can be executed on a server. There is no architecture documentation either.
Nor is any information provided as to whether these are designed to be run on cloud services like AWS lambda.
Our analysis reveals that the source code that has been released as the “backend code” is grossly incomplete. Though any effort at transparency needs to be lauded, much of how the Aarogya Setu operates is still opaque. To summarise our analysis:
a. The code released on 20th November does contain code that corresponds to the frontend of the website web.swaraksha.gov.in/ncv19.
b. The code released also contains code that lets the website interact with the application through the webview.
c. Some of the libraries/modules that the code depends on have not been released.
d. Very little of the released code is meant to run on the backend.
e. The code that is meant to run in the backend does very little of backend functionality.
f. Although the name indicates that this is a “middleware server” for account deletion, the code does not implement such a functionality.
g. The backend code has no scripts related to launching, running, or executing them.
h. There is no accompanying documentation which describes how these files can be executed on a server. There is no architecture documentation either.