A Bangalore-based software engineer has hacked Aarogya Setu,which seems to be slowly becoming mandatory in India. The programmer, who goes by thename Jay, found the government¡¯s contact tracing app¡¯s mandatory nature a littletoo disconcerting, that¡¯s when he decided to rip it all up.
Just a few days ago, ethical Hacker Elliot Alderson, aTwitter alias on the American television series character 'Mr Robot' - on May 5 - tweeted that there were security issues with the?Aarogya Setuapp.
He tagged the app¡¯s handle and said: "A security issuehas been found in your (Aarogya Setu) app. The privacy of 90 million Indians isat stake. Can you contact me in private?"?The government, in response, said there is no security or data breach in the Aarogya Setu mobile application.
On the heels of this privacy breach claim, Jay started hiswork on hacking into Aarogya Setu app.
According to a?Buzzfeed news?report, the engineer cracked the application and skipped all the process wherehe had to fill in the data.?
He managed to bypass a page that requested personalinformation like name, age, gender, travel history, and COVID-19 symptoms.
"I didn¡¯t like the fact that installing this app isslowly becoming mandatory in India,¡± said Jay. As he started working on the appat 9:00 AM, he first managed to bypass the code for registration, therebyeliminating the need to enter his phone number.?
Twitter/TOI
Moreover, requests to access Bluetooth and GPS of the phonewere also shunned, two things without which the app can't function.
After which, Jay managed to install the app without givingaway any of his details and he was marked "safe" even though hedidn't give any permission for it to run on his phone. By 1:00 PM, he was donewith it.
"I don¡¯t want to share my location 24/7 with the government.¡±He said the Indian app fared poorly against what Google and Apple were helpingto build - apps that do not store personal information on centralized servers.¡°If I was coding this app, I would have chosen to keep data points to aminimum,¡± he told Buzzfeed News.
Jay¡¯s experiment shows just how easy it is to hack your wayaround the app and it¡¯s unsettling.?
With the Bengaluru hacker getting through the app in just four hours, questions now arise about the reliability of this app. Many might just be showing a fake result on the contact tracing app and it completely beats the purpose ofthe ¡®safety¡¯ app.
Last month, the Centre had made the app mandatory for all public and private sector employees. It also directed local authorities to ensure that people in Covid-19 containment zones have signed up for the app.?
Police in multiples places such as Noida have also said it is mandatory for residents to have the app on their phones.