Technical and Security Analysis of the Aarogya Setu App

The State and Central Governments are mandating the installation of Aarogya Setu app for government as well as private sector employees and for people in the containment zones.  Aarogya Setu  is being widely criticized by many due to various privacy concerns. On the other side its use is also being defended by the Government. IT and Telecom Minister Sri.Ravishankar Prasad has said that it is a powerful companion  which protects people.

People are debating on the lines of Aarogya Setu being a surveillance app or it being an effective tool for contact tracing of COVID-19 affected people.

SFLC.in has been writing about the various aspects of the Aarogya setu app, particularly about the various problems with the privacy policy of the app.

While these debates are still on, in  this post we have tried to do a detailed technical and security analysis of the  Aarogya Setu app. The detailed analysis report is made available as a PDF.

Technical and Security analysis of Aarogya Setu

We have done the security  analysis of each of the released versions of the Aarogya Setu app, starting from its initial version v1.0.0 to the latest. We will keep updating this post with more analysis as and when new versions will get released.

The detailed analysis of Aarogya setu app is done using the Free and Open Source Tool  provided by the people at OpenSecurity.in . The reports present below includes a detailed Malware analysis, security assessment and analysis on the various other aspects of the app.

Some conclusions from the various analysis reports

1. The app is designed to work offline first as mentioned in their Privacy Policy with syncing its data as and when required when internet becomes available.
2. The app wraps the web application available at https://web.swaraksha.gov.in/ncv19/ as a webview for self-assessment, stats and e-pass. It loads this webview in the app. Although this is changing with newer releases, app developers are making more features available within the app instead of relying on the webview.
3. The web app is deployed in Amazon's cloud servers located at Mumbai.
4. Static files for the above mentioned web app are served from Cloudfront CDN.
5. They have 5 to 6 API endpoints to register, generate and verify OTP and to periodically update user status.
6. The app is dependent on Google Play Services for location, Google Firebase as its database for storing data. The app won't work properly on Android phones without Google Play Services. If someone uses a custom ROM on their phones which often might not have Google Play Services, the app won't work properly in those phones.
7. We could see DELETE FROM table sql queries which according to the applications privacy policy deletes older data. Although from the code it looks like the data is being deleted after 30 days, but we are not sure whether it is actually being done on the server side or not, as the server side is not open source and nor is the client side.

Some links related to the application

1. Link to T&C https://static.swaraksha.gov.in/tnc/
2. Link to Privacy policy : https://web.swaraksha.gov.in/ncv19/privacy/
3. Link to Policy on Adoption of Open Source Software for     Government of India https://meity.gov.in/writereaddata/files/policy_on_adoption_of_oss.pdf