Amid privacy concerns, Govt makes Aarogya Setu source code public; Shashi Tharoor welcomes move

Aarogya Setu (Photo: IANS)


India on Tuesday said it was making public the source code of its Coronavirus contact-tracing app Aarogya Setu for Google’s Android smartphones, a move digital rights activists said will boost the security of users.

The move, allowing researchers, experts and developers to understand how it works and the personal data processed through it, is being seen as a bid to allay the privacy concerns regarding the Aarogya Setu app.

The source code for the Android version of the application is available for review and collaboration on Github. The iOS version of the application will be released as open source within the next two weeks and the server code will be released subsequently, an official statement said.

Almost 98 per cent of Aarogya Setu users are on Android platform, it added.

“The key pillars of Aarogya Setu have been transparency, privacy and security and in line with India’s policy on Open Source Software, the source code of Aarogya Setu has now been made open source,” said the Electronics & IT Ministry statement.

It said that opening the source code to the developer community signifies the government’s continuing commitment to the principles of transparency and collaboration.

“With the release of the source code in the public domain, we are looking to expanding collaboration and to leverage the expertise of top technical brains amongst the talented youth and citizens of our nation and to collectively build a robust and secure technology solution to help support the work of frontline health workers in fighting this pandemic together,” the statement said.

The government has also announced a bug bounty program for the app, whereby the government will pay a cash price of Rs 1 lakh to any developer who finds bugs or loopholes in the application.

Meanwhile, Congress leader Shashi Tharoor has welcomed the Centre’s move to release the source code in public domain.

“This is a welcome development! Centre shifts stance, releases source code for #AarogyaSetu app… Govt’s internal assessment found potential vulnerabilities in the app, called for developers to attempt to solve the concerns in a detailed technical document (sic.),” Tharoor tweeted.

Earlier this month, a French security researcher named Elliot Alderson had tweeted that a security issue has been found in the app and that the “privacy of 90 million Indians was at stake”.

However, the official handle of Aarogya Setu immediately issued a statement assuring that “no data or security breach has been identified.”

The Government had on April 1 unveiled the ‘Aarogya Setu’ App – a COVID-19 tracking mobile application.

The app is aimed at augmenting the initiatives of the Central government, particularly the department of health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.

The application, which tracks through a Bluetooth and location-generated social graph, is designed to alert users if they have come in close proximity with any COVID-19 positive patient.

It calculates the user’s risk of infection based on recency and proximity of COVID-19 patient.

The app’s alerts are accompanied by instructions on how to self-isolate and what to do in case you develop symptoms that may need help and support.

Meanwhile, the Government has issued orders making the downloading of the ‘Aarogya Setu’ App mandatory for all Central government staff.

The contact-tracing application has also been mandatory for air travel and other activities involving movement of people.