India’s contact-tracing app unleashes KaiOS on feature phones

55 million users of $10 Bluetooth-enabled phones come into embrace of closed-source app

India has delivered on its promise to adapt its Aarogya Setu contact-tracing app for feature phones.

A Sunday Tweet confirmed the app’s existence and that it runs on phones from Jio, the nation’s largest mobile carrier.

Jio currently offers two phones, a $10 candy bar model and vintage-Blackberry-like $40 model 2. Both run KaiOS, an effort that derives from the Firefox OS that the browser-maker abandoned back in 2015 . They also offer Bluetooth, the key technology for contact-tracing apps.

While porting the app to KaiOS will mean the contact-tracing app can reach another 55 million devices, India has 550 million feature phone users. Statcounter suggests Android enjoys over 90 percent market share, meaning Bluetooth-driven contact-tracing apps’ problems with iOS will be less of an issue in India than elsewhere.

While the advent of Arrogya Setu on Jio phones is welcome, India has not open-sourced the app. That’s not a massive issue given KaiOS has minuscule global market share, but stands in contrast to other nations contact-tracing efforts.

Security researchers claim the app has security flaws while India’s Software Freedom Law Centre has published criticism of the app on grounds that not being open-sourced is unhelpful, that its efficacy is untested, that using both GPS and Bluetooth represents unwarranted intrusion into users’ movements, and that making use mandatory is unreasonable. ®

Similar topics

Broader topics

Other stories you might like

  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading

Biting the hand that feeds IT © 1998–2022