A few days ago French hacker Robert Baptiste, who goes by Elliot Alderson on Twitter issued a warning that there are security issues with the government’s contact tracing app.
The government in response to this claim released a statement that it is not possible to hack this app and it is safe for users.
But looks like these government claims didn't last for too long since the app got hacked very easily. The app was hacked by a software engineer from Bangalore known as Jay.
According to Buzzfeed, now that the government is making it mandatory to install the app, the programmer felt like he needed to find a way to not install the app on his phone. His shared,
My concern is that just like with Aadhaar, soon you won’t be able to go to a restaurant or a movie theater without the Aarogya Setu app installed. Even if the government doesn’t make it mandatory, cinema owners are going to impose it on you. That’s the kind of culture we have.
Jay started working on the app at 9 AM. The first thing he managed to do was bypass the code for registration. This eliminated the need to enter his phone number. After that, he bypassed the page that requested personal information like name, age, gender, travel history, and COVID-19 symptoms too.
The programmer somehow got out of not giving permission to access things like GPS and Bluetooth which are pretty much the most necessary tools for the app to work.
In just 4 hours, Jay was able to install the app without giving away any of his details. He was even marked "safe" even though he didn't give any permission for it to run on his phone. Apparently, it is quite easy to revoke the app.
I revoked the Aarogya Setu app's location and Bluetooth permissions and it tells me I am still safe, so 🤷🏽♂️ pic.twitter.com/G4CkO9zWTB— ¯\_(ツ)_/¯ (@PranavDixit) May 2, 2020
Even though the order by the government regarding Aarogya Setu mentioned that the data collected through the app will be anonymized and only used for COVID-19-related purposes, we wonder if the app is at all reliable and safe.