Bear with me, this one is going to be a bit longer. It all began when Vikram Kadiam, a UK-based technical architect, tweeted about Aarogya Setu and tagged a hacker that goes by his twitter name Elliot Alderson. Aarogya Setu is a COVID-19 tracking mobile application developed by the National Informatics Centre of India which was made available on Google Play Store from the 2nd of April, 2020. On the same day, K. Vijay Raghavan, the Principal Scientific Adviser to the Government of India, tweeted that the app encrypts data using state-of-the-art technology and hence, is highly secure.
On 4th April, netizen and hacktivist Elliot Alderson responded to Vikram Kadiam’s tweet and thus began a cyber-play. That same day he tweeted about some of the security flaws regarding the application and gained a wide-spread fan following. However, it was not until his tweet on May 5, that Elliot Alderson became a cyber hero with almost every newsroom reporting about him. The hacktivist claims that it was only because of his security research, that the developers of Aarogya Setu app identified and fixed the bugs.
Destroying Claims Made By Elliot Alderson
The First Claim made by the hacktivist was, “…there is no host validation…With only 1-click an attacker can open any app internal file, including the local database used by the app called fight-covid-db.” In order to prove his claim, he provided screenshots from the decompiled Apk of Version 1.0.1 (initial release) in his article that was published way after the release of the current version 1.1.1 of the app.
Primarily, he provided this screenshot from the AndroidManifest.xml file in Aarogya Setu v1.0.1, and later, the screenshot of a method called onPageStarted().
Verily, the above screenshots prove that there is no host validation and that an attacker can readily gain access to many internal files of the application. However, it should be noted that these screenshots are only from the initially released version 1.0.1, as claimed by the hacktivist himself!
So, I myself downloaded the current version 1.1.1 of the app and decompiled it using Apktool. In the AndroidManifest.xml file, there were no intent-filters for WebViewActivity, as can be seen below.
Further, I found the above mentioned onPageStarted() method in a file called the C0174.java, and on performing a grep search for the method on the whole of the directory, I concluded that this was the only readable instance of the method present in the APK. So, I opened it to check if the claims of the hacktivist were true or not. It seems, at least for the current version, the app does use a specific technique of Host Validation, wherein the string is first parsed into a URI and then the URI’s host and port components are queried. We can also see the use of MalformedURLException in the below screenshot of the method in the file c0174a1.java of Aarogya Setu version 1.1.1.
To summarize, in Aarogya Setu version 1.1.1,
- WebViewActivity is not accessible from outside
- Uses Host Validation
- Does not have intent-filters for WebViewActivity
Hence, the claim of the hacker that the internal files of the app can be accessed by attackers, and that there is no host validation, may have been true for the initial release but not for the current version. The current version of the app is highly secure to such attacks.
The Second Claim came about on the 5th of May, which was more of a pointless theory. He stated that the location (latitude and longitude) of the user is sent through the header along with the radius selected by him. He furthered,
“The first thing I noticed is that this endpoint returns a lot of info:
– Number of infected people
– Number of unwell people
– Number of people declared as Bluetooth positive
– Number of self-assessment made around you
– Number of people using the app around you”
This was followed by his argument, “…an attacker can know who is infected anywhere in India, in the area of his choice.” The hacktivist reported that five of the people from PMO, five from the Ministry of Defence, two from the Indian Army Headquarters, and two from the Indian Parliament felt sick, while one of the parliamentarians was COVID-19 positive. He thus claimed that it was a privacy issue.
Elliot Alderson made this tweet tagging Rahul Gandhi, leader of the Congress party, who had termed the Aarogya Setu application a “sophisticated surveillance system.”
To his tweet, Aarogya Setu thanked the hacker and replied in a convincing tone that there are no such bugs as mentioned by the hacktivist. Aarogya Setu stated, “no personal information of any user has been proven to be at risk” and that the hacktivist’s above-mentioned information “is already public for all locations and hence does not compromise on any personal or sensitive data.”
Further, the hacktivist indirectly initiated his followers to tweet and ask the developers to make it open source. And reclaiming the words of Rahul Gandhi, he pinned a tweet on his account that the app is a surveillance system.
But my question is that even if it is a surveillance system owned by the government, why would the government use it to spy on itself? The hacktivist’s claim that he found a number of infected as well as unwell people in the government bodies of the likes of the Ministry of Defence, the PMO, and the Indian Army Headquarters, only proves that the application is unbiased! Moreover, it fulfills the netizens’ right to information in an absolute way, does it not? Further, the app simply provides the number of infected people within a given radius and that is in no way a piece of personal information. The app verily uses cryptography and sends data over HTTP/S since its initial release! Is Elliot Alderson a paid propaganda artist?
Looking At The Time-Line of Events
The Aarogya Setu Version 1.0.1 was made available on 2nd of April, 2020 on the Google Play Store. Following its release, Elliot Alderson tweeted his initial research, inspired by Vikram Kadiam’s tweet. Aarogya Setu’s version 1.0.4, version 1.0.5, version 1.0.6 and version 1.1.1 were released on April 8, April 13, April 17 and April 27, respectively. However, it was only on May 5th that the hacktivist took his research to twitter and for the first time informed Aarogya Setu of his findings. Later on May 6th, in his article published on Medium, the hacktivist claimed, “they quickly
answered to my report and fixed some of the issues but seriously: stop lying, stop denying.” How can he take the credits if the current version 1.1.1 was already released 9 days before he even informed the developers of the application?
Is it not obvious that the credit must go to the dedicated team of developers of Aarogya Setu? Why this promotion of a French hacktivist when he did not even give any solid points to ponder?
