Seems like the government’s swift responses to French hacker Robert Baptiste’s allegations regarding the security issues with the Aarogya Setu app fell flat on its back after a Bengaluru programmer breached the app’s defences in less than four hours. Baptiste or Elliot Alderson as he is known on Twitter, had claimed that “a security issue has been found in your app. The privacy of 90 million Indians is at stake” but the government had assured of no data or security breach and even gone to the extent of booking citizens in Noida for not installing the app on their smartphones. Also Read - Coronavirus in Noida: 27 Fresh Cases Reported in a Day, Total Active Cases Now 209; 4-Year-Old Recovers
The liability concerns over privacy issues came to the surface once again when a Bengaluru-based software engineer, who goes by the name of Jay, breached the app’s defences in less than four hours. He apparently hacked the Aarogya Setu app to find a way to not install it on his phone after the government made it mandatory. In an interview with BuzzFeed, Jay shared, “I didn’t like the fact that installing this app is slowly becoming mandatory in India. So I kept thinking of what I could personally do to avoid putting it on my phone.” Also Read - COVID-19: Six-fold Jump in Cases, Five-fold Surge in Fatalities After a Month: Is Worst Yet to Come For India?
Jay reportedly started work at 9 am on a Saturday and managed to bypass the page that requested personal information like name, age, gender, travel history, COVID-19 symptom checker and also the registration page that required people to sign up with their cellphone numbers. Permissions that he viewed as invasive like those requiring access to the phone’s Bluetooth and GPS at all timesThen were too carved away by the young programmer. Finishing the work on the app by 1 pm, Jay managed to revoke the app and was able to install it without giving away any of his details. Collecting no data, the app still flashed a green badge declaring that he, as a user, was at a low risk of infection and was even marked “safe” despite not giving any permission for it to run on his phone. Also Read - India, China Ready to Resolve Border Standoff? Here's What to Expect From Key Military Level Talks Today
Jay shared with the news agency, “That was my goal. I succeeded. You can show the green badge to anyone if they ask to check your phone and they won’t be able to tell.” He added, “I’m rebelling against the mandatory nature of this app. I don’t want to share my location 24/7 with the government. If I was coding this app, I would have chosen to keep data points to a minimum. If I have your location information for a month, I can gauge a lot of things about your life.”
While Jay’s concerns are rooted in the Indian government’s record like when the country rolled out Aadhaar 10 years ago, with a biometric ID system that stored the fingerprints and iris scans of 1.3 billion Indians in a single database. According to him, Aarogya Setu app fared poorly against what Google and Apple were helping to build.
Talking about updating his hacking moves if the government tries to fix the loopholes he pointed out, Jay revealed, “I’m going to keep up with them. If they make significant changes or updates to the app, I’ll find other workarounds.”
Few days back, French hacker Baptiste claimed that the developers issued a statement of clarification on behalf of Team Aarogya Setu only after he “sent them a small technical report”. Pointing out that the issue he had brought to light recently “had been fixed silently by the developpers”, Baptiste wrote that within 49 minutes of his initial tweet, National Informatics Centre (that developed that app under the Union Ministry of Electronics and Information Technology) and the Indian Cert contacted him. Satisfied with their quick response, Baptiste had penned, “I’m happy they quickly answered to my report and fixed some of the issues but seriously: stop lying, stop denying.”