India said its coronavirus contact-tracing app is perfect... adds bug bounty and open-sources it anyway

As the legalese changes to extend data retention period

1 Reg comments Got Tips?

India has open-sourced its Aarogya Setu contact-tracing app and announced a bug bounty programme to detect any security issues.

Aarogya Setu – which translates to English as "path to health" – has now been downloaded over 110 million times. Unlike many comparable apps around the world, Aarogya Setu tracks users' locations and its source code – for both apps and back-end – remained secret. However, that stance could not prevent partial decompilation of the Android APK, which led to some reports of vulnerabilities.

India has previously brushed off such concerns with the app's developers and senior government figures offering tweets like the ones below.

Yet the nation has now decided to open the app and run a bug bounty programme.

It's not clear what sparked the change, but India's Ministry of Electronics & Information Technology admitted: "Despite the best measures taken, the presence of vulnerabilities may exist. When such vulnerabilities are found, Government would like to learn of them as soon as possible." The ministry also said the nation wishes only to share its code with the world for the common good.

A GitHub repo has been erected and offers code for the Android version of the app under the under Apache License 2.0. India's government has promised iOS code will also be released.

The bug bounty appears a little rustic as it involves sending bug reports to Indian government email addresses rather than use of a third-party bounty platform like Bugcrowd or HackerOne. It also asks for developers to suggest code improvements as well as report bugs. The top bounty is around US$4,000. Full details of the programme can be found here [PDF].

Both the open-sourcing of the app and the bug bounty program were welcomed.

The top tweet comes from India's IT industry lobby NASSCOM. The lower tweet comes from India's Software Freedom Law Center, which has also offered an analysis of recent changes to the app's privacy policy and terms of service. The center welcomed the lifting of a ban on reverse-engineering but expressed concerns that the app's data retention period has extended, while broad language permits wide sharing of data the app gathers while deanonymised sharing also appears possible. It also criticises that requesting data deletion has been allowed, but no mechanism for requesting deletion has been stipulated.

While debate about the app continues, India's government says it has been very effective. The statement [PDF] announcing the code release says: "So far, the platform has reached out to more than 900,000 users and helped advise them for Quarantine, caution or testing. Amongst those who were recommended for testing for COVID19, it has been found that almost 24 per cent of them have been found COVID19 positive." That rate is well above the percentage of positive testing among the whole population, which is taken as a sign that the app is facilitating better use of resources. India's government also says the app has helped it to identify current and future virus hotspots and therefore improve health services. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020