Coders flag host of issues, offer tips to improve Aarogya Setu
In less than 48 hours since the Android code of the Aarogya Setu mobile application was thrown open for review, at least 165 issues of various levels of severity was flagged by the software developer community to help the government identify and plug holes -- from the way it uses Bluetooth for contact tracing to typos in the text.
The number and nature of suggestions that poured in could make Aarogya Setu, now being used by over 100 million Indians, one of the first big government projects to be improved through public inputs, experts said.
“People have flagged raised a lot of issues and while among these, many may be minor, what it really shows is participatory governance in the making,” said Srinivas Kodali, an independent researcher working on technology, data and governance. “But it needs to be extended to other governance applications and IT systems – it cannot be one-off,” he added.
The code of Aarogya Setu for Android phones was shared at 12am on Wednesday on code-sharing website GitHub. A review of issues posted by people varied from concerns over the way the app deployed Bluetooth, typos in the text displayed by the application and suggestions for improvements.
“All suggestions are under review by the technical team,” said Abhishek Singh, CEO of MyGov. An IT ministry official, who asked not to be named, added that the technical team has been instructed to notify MyGov in case of a serious issue . Other issues, as mentioned in the timeline by the government, will be reviewed in three days by the team.
So far, no “significant” development has been flagged, added the official.
However, some posts said that the version available for users to download through the Google Play store is not the version for which the code was made public.
One of the more serious concerns, flagged by Sydney-based developer Jim Mussared, concerned the way contact-tracing applications use Bluetooth to determine whether people have been in close contact with another person.
The vulnerability, which has at least been identified in Australia’s COVIDSafe application, allows for long-term tracking of users and possibly enables other Bluetooth-based attack vectors, the global vulnerability listing of the problem showed.
“We have not confirmed that the issue exists in the Aarogya Setu app, we just wanted to reach out to the team so they could clarify for sure. Given that it affects other apps it seemed important to check with them, but we haven’t been able to get a reply by email yet,” said Mussared in an email to HT.
The researcher added that there have been several issues in contact-tracing apps from multiple countries, and that many of these are due to using Bluetooth in this manner. The details of this particular vulnerability will be made public on June 19 at the end of a 45-day embargo that is meant to give developers time to address it.
Bluetooth is short-distance radio technology. Its short range is one of the reasons why contact-tracing tools have preferred to use it to determine close contacts, but the technology itself has been vulnerable to hacking.
Several of the other posts on the Aarogya Setu GitHub page also suggested how the Bluetooth deployment could be made safer.
The government has announced a bug bounty, offering ₹1-3 lakh for researchers who expose serious vulnerabilities.
More suggestions are likely to pour in as comprehensive code reviews can take several days.