Aarogya Setu is a COVID-19 contact tracing app in India that has to be mandatorily installed on users’ devices in some parts of the country. According to a hacker named Elliot Alderson, the Aarogya Setu app is vulnerable and could be used by anyone to pull out data regarding the infected people, unwell, and other sensitive COVID-19 test-related information.
Elliot Alderson clearly outlines everything that allowed him to access the internal files of the app and gain access to sensitive information. He was able to find data regarding infected, unwell people, etc within the app. Anyone could mention a location and radius and then the app will itself return values corresponding to the input.
With this particular security flaw in the app, one could easily find data like, Number of unwell people, Number of infected people, Number of people declared as Bluetooth positive, Number of self-assessment made around you, The number of people using the app around you.
Initially, the WebViewActivity file of the app was openly exposed and as per him, it could be used to open dialer and pre-dial a number. After him sharing the data regarding WebViewActivity, the developers of the Aarogya Setu app fixed the issue.
After the fixes are done, the team then released a new version with build number 1.1.1. The newer updated version of the app was even more vulnerable by letting third party users access information about people in a particular locality or region.
He monitored all the traffic requests made by the app by bypassing the certificate pinning function. Following this, the app would give information regarding the amount people affected in a particular area. You can even set a radius limit like 500m, 1km, etc and the app will pull data from the government server. There are only 5 pre-determined options in-app to check for affected people, but the hacker was able to set a radius of his choice and pull the data. In this case, he set the radius to 100km and it shows the results!