Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: The Register
The Indian government has acknowledged “potential security issues” in the Aarogya Setyu contact-tracing app which its opposition labels as a ‘surveillance system with no oversight,’ but says the code issues are not that big a deal.
A late night tweet from the team that developed and oversees the app said it was “alerted by an ethical hacker of a potential security issue”.
The first feature called out is accessing location data – which is explained away as being a feature, not a bug. The second seems more serious and is described as allowing a user to “get the COVID-19 stats displayed on Home Screen by changing the radius and latitude-longitude using a script”.
The app team’s response is that the API that makes this possible is firewalled and that the data produced is both limited and already public.
“Getting data for multiple latitude longitude this way is no different than asking several people of their location’s COVID-19 statistics”, the notification says.
Unlike other nations’ contact-tracing apps, Aarogya Setyu is not open source or known to be based on other open source efforts. India’s government has pushed it aggressively and even made it compulsory – although one Reg reader ordered to install the app was able to brush off authorities’ insistence because his phone couldn’t access Indian app stores.
So why bother to rebut two minor issues with the app? Perhaps because India’s opposition National Congress Party has heavily criticised Aarogya Setyu. Here’s MP Raul Gadhi – who leads the largest opposition party – in action:
The Arogya Setu app, is a sophisticated surveillance system, outsourced to a pvt operator, with no institutional oversight – raising serious data security & privacy concerns. Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.
— Rahul Gandhi (@RahulGandhi) May 2, 2020
Business is also bristling at being made responsible for ensuring the apps mass adoption by staff, while the Indian Software Freedom Law Center analysed the app and found numerous concerns, among them a liability clause that it says “exempts the Government from liability in the event of ‘any unauthorised access to the [user’s] information or modification thereof’.”
“This means that there is no liability for the Government even if the personal information of users are leaked,” the Center’s lawyers argue.
And here’s the full not-a-bug report from the Aarogya Setyu team.
Statement from Team #AarogyaSetu on data security of the App. pic.twitter.com/JS9ow82Hom
— Aarogya Setu (@SetuAarogya) May 5, 2020
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10, CHFI, ECSAv10, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID, IPHONE, NETWORKING, HARDWARE, TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, CSA Certified SOC Analyst, CTIA EC-Council Certified Threat Intelligence Analyst, Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India