I almost decided to not post this blog. But on second thoughts I am posting it.
Date : 22nd May 2020.
Background :
Aarogya Setu has comeout as one of the most powerful tool that Government of India released to protect its citizens through “Contact Tracing”. While I do not directly know the source of inspiration for our government to do so, I believe that countries which are being respected for their ways of controlling COVID-19 spread, like – South Korea and Taiwan, have used such apps in their nations and given credit to the apps to be a successful tool in their fight against Corona virus.
Recently, there were tweets claiming how the app is dangerously exposing the privacy of Indian citizens.
For a typical app to fail in the market is neither a concern of mine personally, nor is it unheard of. While, it makes me curious to know more about the reality of the situation, my natural reaction in such cases is – these guys will figure it out; I don’t need to step in.
But when I looked at the flip side – the possible results of “Aarogya Setu” app failing due to privacy reasons, I got hugely concerned for 2 reasons –
- What if the app is really lacking privacy control? To put it in the terms of the “hacker” – what if it is truly exposing PII- Personally Identifiable Information of millions of citizens? In this case, the hacker claimed it to be 90million (number of downloads at the time of claim). This is simply NOT ACCEPTABLE.
- What if these claims were incorrect but the citizens do not adopt the app because of the fear and thus the country is unable to utilize a huge opportunity to protect its citizens. This would mean exposing the human lives all around to a massive danger, when we could have protected them. This is even more NOT ACCEPTABLE.
I wanted to do a deep dive, and therefore discussed the subject with some leading security professionals. Am capturing below – exactly the thoughts shared by them and the links they pointed me to. I wanted to hear from multiple professionals on their analysis on the subject beyond just my own observations.
Professionals mentioned in this blog are :
- Prashant KV (Involved in discussion)
- Swaroop Yermalkar (Involved in discussion)
- Nidhish Pandya (Referred)
- Harshit Agarwal (AppKnox) (Referred)
- Abhinav Sejpal (Involved in discussion)
Folks involved :
I reached out to few security test professionals including Prashant KV. Prashant further added Abhinav Sejpal and Swaroop Yermalkar. When it comes to Security, one of the world wide recognized community is OWASP – Open Web Application Security Project . OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security, by the way of setting Industry standards, organizing Conferences and Workshops. Their key focus areas are – Web Security, Application Security, Vulnerability Assessment.
So it may be of interest of the readers to know that Prashant is an OWASP Chapter Lead for San Francisco Bay Area and is a Security engineer at a leading retail firm in the US. Swaroop is the OWASP iGoat Project Lead (Community Project dedicated to mobile security), Head of Cyber Security (India) for a leading cybersecurity firm. He is also the author of the book “Learning iOS Penetration Testing” and he is a well-known mobile bug bounty hunter. Abhinav Sejpal is also an OWASP chapter Lead, has spoken at – null, The Open security conference. He is currently the DevSecOps in a leading technology consulting firm.
PII :
And before I share with you the findings, let us understand what is PII?
PII – Personally Identifiable Information- is the information that can be used on its own or along with other information to identify, contact, or locate a single person, or to identify an individual in context.
Non-sensitive PII can be transmitted in unsecured form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, hashing.
PII could include – direct identifiers – your Aadhar Number, Driving License, bank Account Number, Name, Phone number, Vehicle License number, Address, Mobile numbers, Email ID, Full face Photos, Biometric identifiers (Iris scan and finger prints), etc.
And then there are indirect identifiers – which can be used to identify a person, when used in combination with other information –like – Birthdates, languages spoken, Geographical Locations, Medical Insurance Plans, Medical conditions. These are not independently enough to identify an individual in a group of more than 1 person.
Discussion and Findings:
My conclusions are based on my analysis of the app and further discussions with my peers and going through all the detail analysis done by different people referred to me by my reputed peers.
Let me start with responses of the security engineers –
1. Prashant’s thoughts :
To summarize :
Old version of app had a bug that could allow other apps to read files inside
the app sandbox using an exposed Activity and its intent filter. This issue was fixed.
App has jailbreak/root detection and ssl pinning. Both can be bypassed by
custom frida scripts. SSL pinning is not perfect in mobile implementation and can be bypassed.
In the latest version, app sends coordinate via headers to an endpoint and the
server returns information about how many are infected etc. The privacy issue being discussed is that anyone anywhere in the world can put in any coordinates in India and retrieve info about how many infected There are no names or any personal info leaked. Just number of people infected. The app is supposed to show these numbers based on your coordinates. Issues mentioned by the researcher might be of low risk based on that calling the app a disaster is not correct.
Much of the South Korea, Taiwan and china’s success is attributed to a similar app.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Prashant also shared another tweet from October 2019 – where another hacker, called out the site that belongs to our attention seeker – Robert Baptiste aka Elliot Alderson , as vulnerable.
https://twitter.com/crackohacker/status/1182596471058681856?s=21
Furthermore, Prashant also shared a blog from another Security engineer – Swaroop Yermalkar, refuting Baptiste’s previous claims – https://blog.swaroopsy.com/2020/05/07/part-1-truth-behind-propaganda-against-maadhaar-security/amp/
Since Swaroop was part of the conversation, we will talk more about his view in the blog further.
Towards the end of our conversation, Prashant shared 2 more write – ups :
- https://medium.com/@N1gh7m4r3/explaining-exposing-imaginary-arogyasetu-privacy-issue-433a6dc7b76e
This is written by Nidhish Pandya, who is a cyber-security enthusiast. He has clearly called out the security issues raised by Baptiste as imaginary. His blog is full of pointers to various sources which prove his point.
- https://www.appknox.com/blog/is-the-aarogya-setu-app-safe-to-use
Appknox is a company that specializes in mobile app security. I found their analysis to be pretty detailed and conclusive. Hence, let me share the final word here from Harshit Agarwal , the CEO of AppKnox.
The Word
There might indeed be certain security misconfigurations in the Aarogya Setu app, but none of which pose great threats. Into the bargain, we never found any evidence for the PII data breach in our security assessment.
We strongly believe Aarogya Setu app is the Indian government’s approach to providing the right information during the uncertain times of the COVID pandemic. Nevertheless, based on our findings, the following low and medium level safety issues of the Aarogya Setu can be rectified,
- Implementation of ATS in iOS devices
- Non-expiration of tokens
- Usage of SSL Pinning instead of encryption
- Using AES/CBC encryption instead of AES/ECB encryption
Yet, even without these rectifications, the application is still secure to use, and you don’t have to fear privacy intrusion.
Harshit’s blog also mentioned the below details as “Fact” against Baptiste’s claims.
Fact:
The radius buffers have been limited to five values, as mentioned earlier. These standard values are posted with HTTP headers. Even if any user enters another value, the distance will be directed to the default value of 1km.
As asserted by the hacker, the user can indeed fetch data for multiple locations by changing the coordinates. Nevertheless, the API enforced in the Aarogya Setu application prevents such bulk calls from being processed.
So, there is absolutely no way for one user to procure the COVID-19 statistics by simply changing the coordinates.
That said, the claims of french researcher are futile. He was unable to prove the privacy risk of any user using the Aarogya Setu app. So, rest assured, you are safe. None of your confidential and sensitive information is out in the open, everything is secure.
2. Abhinav Sejpal
His recommendations were –
#1 Open source Aarogya Setu App Source code and Allow the honest feedback.
#2 Start the bug bounty via Hackerone or bugcrowd or whatever works for Indian gov
#3 Invite few security experts to review findings and crowd source overall triage process.
One may have to review these asks but it could be worth a look.
3. Swaroop Yermalkar
And our final specialist – who is a highly accomplished security professional – he wrote the following blog for his review of Aarogya Setu app –
https://blog.swaroopsy.com/2020/05/08/part-2-truth-behind-propaganda-against-the-aarogya-setu-app-security-the-real-story-of-success/
One can find his other blogs on security issues at: https://blog.swaroopsy.com/
In his words – clearly – “There were some security issues but NO Breach! No personal info of single user got leaked!”
On probing further, he shared his interaction with Baptiste, who could not take being questioned on his false claims and Swaroop says – he got blocked therefore by Baptiste on twitter.
Incidentally , the day we were discussing this a news came in that someone from Bangalore hacked Aarogya Setu and I asked Swaroop, what does he think about that. He pointed me to his tweet that said –
#mensxp Stop spreading misinformation! Have you performed verified analysis by security professionals? Validations can be bypassed at client side! Where is PII? Don’t make #infosec as #tiktok videos or #clickbait!
You can see his popular tweet at : https://twitter.com/swaroopsy/status/1260963165094834177
Major Highlights of Swaroop’s blog :
The list of vulnerabilities mentioned:
- Access to App’s Internal Files – LowSeverity
- Bypassing Root Detection Using Frida – LowSeverity
- Bypassing SSL Certificate Pinning – LowSeverity
- Finding Infected People In Any Area – Low/infoSeverity (It’s the app by design)
Final Conclusion: Vulnerabilities discussed didn’t disclose any PII / Personal Data / Age / Name of any COVID-19 Patients or Arogya Setu App Users. Forget about 90 millions but not even single user’s data got exposed! Bug Bounty Companies would pay USD 0 for these type of issues! Now you can decide, are these really security threats or just a publicity stunt?
In fact, I would say the Aarogya Setu App is a success story! Millions of users downloading this app and helping people to get aware of nearby patients around them!
I also agree that government apps should have proper channels / bug bounty programs to receive security issues. India has one of the largest infosec community and can help government apps to get them more and more secure.
My observations :
- Much like all leading apps that different governments ( e.g : TraceTogether (Singapore), NHS (UK)) in the world have come up with , Aarogya Setu was also built in like 15 days.
- Technology stack looks similar to other such apps – AWS / SQLite / secure hosting/ rooted device detection.
- Interestingly – Aarogya Setu has implemented an additional layer of encryption (Lat / Long). Also, it stores data for a limited period of time both for COVID infected (60 days) and not infected people (45 days).
- I am NOT a reputed security engineer yet. But going by the take of so many of proven, experienced and reputed #InfoSec professionals – all claims made by Baptiste / someone in Bangalore (reported in menxp) – ARE TOTALLY FARCE AND ATTENTION SEEKING ACTIONS.
- Clearly there were some gaps in the previous version of the app, which have been fixed.
As a member of community of testing professionals – we like to believe that there is no software that is 100% defect free. After studying the app and comparable apps and usages across the globe, I find Arogya Setu to be a powerful tool made by the government to protect Indian citizens and one can download it and use it without any fear of security issues especially wrt what Baptiste claimed.
**Original blog ends here.
Further updates on Aarogya Setu –
The top demands from the security professionals across the world have been heeded to by the Aarogya Setu team.
As of today – the app has been open- sourced, and government has initiated a bug bounty program for the app.
Further updates from Swaroop.
Update 1 [May 26, 2020] – https://twitter.com/SetuAarogya/status/1265281058532016128
The #AarogyaSetuApp is now open source. Read the attached release documents to know more.
Update 2 [May 27, 2020] – https://twitter.com/SetuAarogya/status/1265353503221772288
Aarogya Setu Bug Bounty Program – Aarogya Setu Bug Bounty Program – call upon the developer community to join hands to help make Aarogya Setu more robust and secure. Those identifying vulnerabilities, bugs, or code improvement stand to get recognized and win cash awards too.
During lockdown, it may not have been important to use Aarogya Setu. But now that lockdown is getting lifted, and people are expected to move out and come in contact with more people beyond their immediate family and folks, IT IS MORE IMPORTANT TO USE AAROGYA SETU NOW. And I decided to publish this blog only with the purpose to reiterate the importance of the use of this app and to appeal more citizens to adopt it.
The success of the app is directly proportional to its adoption. More the number of people who use Aarogya Setu, better will be the information provided by the app.