Responding to privacy allegations by an ethical hacker, the team behind the Aarogya Setu app issued a clarification early Wednesday morning to allay fears over the app’s security concerns.
At 8:40 PM on Tuesday, ethical hacker Robert Baptiste, based out of France and better known by his Twitter handle name Elliot Alderson, claimed that a security flaw in the Aargoya Setu app was found and it could potentially compromise the privacy of 90 million Indians.
“A security issue has been found in your app. The privacy of 90 million Indians is at stake. Can you contact me in private?” the tweet said.
An hour later, Alderson tweeted that the Indian Computer Emergency Response Team (CERT-in), under the Ministry of Electronics and Information Technology, and the National Informatics Centre (NIC) had communicated with him and the issue at hand was disclosed to the agencies.
The team behind the Aargoya Setu team then responded with a one-page statement at 1:00 AM on Wednesday, clarifying that “no personal information of any user has been proven to be at risk.”
Aarogya Setu was launched last month to help people self-assess their risk of being infected with Covid-19.
The team went on to add that the Aarogya Setu systems were continuously being tested and upgraded and assured its users that no security issues or data breach had been identified.
The letter also went on to thank Baptise for pointing out the security concerns.
“We encourage any users who identify a vulnerability to inform us immediately @support.aarogyasetu.gov.in,” the tweet from the application’s main page read.
However, the latest tweet from Alderson hinted at a location tracking method known as ‘triangulation’.
Do you know what triangulation is @SetuAarogya?— Elliot Alderson (@fs0c131y) May 5, 2020
The tweet could be referring to triangulation as a method by which the location of a user can be determined using radio signals, by measuring the distance of the user from mobile towers near their geographical location.
Alderson was recently in the news for exposing issues in the mobile Aadhar application mAadhaar, where he said a database of biometric data was prone to an attack.
Back in July 2018, Alderson was one of the many hackers who exposed the personal information of the chief of the Telecom Regulatory Authority of India (TRAI), RS Sharma, after the bureaucrat challenged hackers to get access to his personal data after tweeting his Aadhar number.