This article is more than 1 year old
India said its coronavirus contact-tracing app is perfect... adds bug bounty and open-sources it anyway
As the legalese changes to extend data retention period
India has open-sourced its Aarogya Setu contact-tracing app and announced a bug bounty programme to detect any security issues.
Aarogya Setu – which translates to English as "path to health" – has now been downloaded over 110 million times. Unlike many comparable apps around the world, Aarogya Setu tracks users' locations and its source code – for both apps and back-end – remained secret. However, that stance could not prevent partial decompilation of the Android APK, which led to some reports of vulnerabilities.
India has previously brushed off such concerns with the app's developers and senior government figures offering tweets like the ones below.
Aarogya Setu is completely safe and your data is fully secure.— Aarogya Setu (@SetuAarogya) May 7, 2020
Its Privacy first by design.
All your queries answered here.
Do watch and share.#SetuMeraBodyguard#IndiaFightsCoronahttps://t.co/i0Ul06uGct
Yet the nation has now decided to open the app and run a bug bounty programme.
It's not clear what sparked the change, but India's Ministry of Electronics & Information Technology admitted: "Despite the best measures taken, the presence of vulnerabilities may exist. When such vulnerabilities are found, Government would like to learn of them as soon as possible." The ministry also said the nation wishes only to share its code with the world for the common good.
A GitHub repo has been erected and offers code for the Android version of the app under the under Apache License 2.0. India's government has promised iOS code will also be released.
The bug bounty appears a little rustic as it involves sending bug reports to Indian government email addresses rather than use of a third-party bounty platform like Bugcrowd or HackerOne. It also asks for developers to suggest code improvements as well as report bugs. The top bounty is around US$4,000. Full details of the programme can be found here [PDF].
Both the open-sourcing of the app and the bug bounty program were welcomed.
Great move by @GoI_MeitY to open up the #SourceCode of @SetuAarogya.— NASSCOM (@nasscom) May 26, 2020
Allowing developers to take a deeper look into its inner workings will go a long way in reinforcing the security & transparency of the app.@amitabhk87 @SecretaryMEITY @debjani_ghosh_ @rsprasad @DSCI_Connect https://t.co/Yn2AsKnufu
@SetuAarogya's android version is open source now!@SFLCin welcomes this development. We are happy that the Government has at last agreed to do what we have been asking all long. @fs0c131y #AarogyaSetu #OpenSource #FreeandOpenSource #ContactTracing #Covid_19india #Elliottwave pic.twitter.com/IzRyTwo7ar— sflc.in (@SFLCin) May 26, 2020
While debate about the app continues, India's government says it has been very effective. The statement [PDF] announcing the code release says: "So far, the platform has reached out to more than 900,000 users and helped advise them for Quarantine, caution or testing. Amongst those who were recommended for testing for COVID19, it has been found that almost 24 per cent of them have been found COVID19 positive." That rate is well above the percentage of positive testing among the whole population, which is taken as a sign that the app is facilitating better use of resources. India's government also says the app has helped it to identify current and future virus hotspots and therefore improve health services. ®