The State and Central Governments are mandating the installation of Aarogya Setu app for government as well as private sector employees and for people in the containment zones. Aarogya Setu is being widely criticized by many due to various privacy concerns. On the other side its use is also being defended by the Government. IT and Telecom Minister Sri.Ravishankar Prasad has said that it is a powerful companion which protects people.
People are debating on the lines of Aarogya Setu being a surveillance app or it being an effective tool for contact tracing of COVID-19 affected people.
While these debates are still on, in this post we have tried to do a detailed technical and security analysis of the Aarogya Setu app. The detailed analysis report is made available as a PDF.
Technical and Security analysis of Aarogya Setu
We have done the security analysis of each of the released versions of the Aarogya Setu app, starting from its initial version
v1.0.0 to the latest. We will keep updating this post with more analysis as and when new versions will get released.
The detailed analysis of Aarogya setu app is done using the Free and Open Source Tool provided by the people at OpenSecurity.in . The reports present below includes a detailed Malware analysis, security assessment and analysis on the various other aspects of the app.
|Aarogya Setu App version number||Respective Technical Analysis report|
Some conclusions from the various analysis reports
- The app wraps the web application available at https://web.swaraksha.gov.in/ncv19/ as a webview for self-assessment, stats and e-pass. It loads this webview in the app. Although this is changing with newer releases, app developers are making more features available within the app instead of relying on the webview.
- The web app is deployed in Amazon's cloud servers located at Mumbai.
- Static files for the above mentioned web app are served from Cloudfront CDN.
- They have 5 to 6 API endpoints to register, generate and verify OTP and to periodically update user status.
- The app is dependent on Google Play Services for location, Google Firebase as its database for storing data. The app won't work properly on Android phones without Google Play Services. If someone uses a custom ROM on their phones which often might not have Google Play Services, the app won't work properly in those phones.
Some links related to the application
- Link to T&C https://static.swaraksha.gov.in/tnc/
- Link to Policy on Adoption of Open Source Software for Government of India https://meity.gov.in/writereaddata/files/policy_on_adoption_of_oss.pdf