I revoked the Aarogya Setu app

A Software Engineer From Bangalore Hacked India’s Aarogya Setu Contact Tracing App.


Adnan Abidi / Reuters

A man wearing a face shield squats next to his belongings as he waits among other people outside a railway station to board trains that will take them to their home states after India announced a limited reopening the railways of its rail network following a nearly seven-week lockdown.

For days, Jay, a software engineer in Bangalore, watched with mounting alarm as people in India were forced to install the government’s coronavirus contact tracing app. Then, he rolled up his sleeves and ripped its guts out.

“I didn’t like the fact that installing this app is slowly becoming mandatory in India,” said Jay, who requested a pseudonym to speak freely. “So I kept thinking of what I could personally do to avoid putting it on my phone.”

Jay started work at 9 a.m. on a Saturday. He chopped away at the app’s code to bypass the registration page that required people to sign up with their cellphone numbers. More pruning let him bypass a page that requested personal information like name, age, gender, travel history, and COVID-19 symptoms. Then, he carved away the permissions that he viewed as invasive: those requiring access to the phone’s Bluetooth and GPS at all times

By 1 p.m., the app had become a harmless shell, collecting no data but still flashing a green badge declaring that the user was at low risk of infection.

“That was my goal,” said Jay. “I succeeded. You can show the green badge to anyone if they ask to check your phone and they won’t be able to tell.”

India’s government released Aarogya Setu (Hindi for “a bridge to health”) in early April. According to India’s IT Ministry, it’s been installed nearly 100 million times — on about a fifth of Indian smartphones. But the app has drawn concerns from privacy experts around the world, who say that in the absence of a federal privacy law, it can be used as a tool for state surveillance after the pandemic subsides since it requires constant access to people’s Bluetooth and location data.

Even though installing the app was initially voluntary, many Indians found that they had no choice. Last month, India’s leading food delivery apps mandated that gig workers install the app. Last week, police in Noida, a city on the outskirts of India’s capital New Delhi, mandated that residents install the app or face jail time. That mandate followed federal ones that required government and private employees to install the app. Indians may also need the app in order to board trains, flights, and public transport, to work for food delivery companies, or visit pharmacies.

Hackers like Jay have been trying to find ways around this. After making his own version of the app, Jay shared it with a close circle of 15 friends. It’s not a large number, but a leak from any one of them could undermine the government’s contact tracing efforts — so Jay is trying to keep it private.

But he’s unlikely to be the only one hacking the app.

Indians who are less tech-savvy than Jay are trying to find simpler workarounds, with some reporting that they have taken screenshots of the green badge to flash instead of putting the app on their devices.

“Will I be booked if I don’t have (the) Aarogya Setu (app) installed on my phone?” someone asked on Reddit earlier this week.

“Make it your wallpaper lol,” someone replied. “Worked for a friend in Delhi.”

I revoked the Aarogya Setu app’s location and Bluetooth permissions and it tells me I am still safe, so 🤷🏽‍♂️

03:14 PM – 02 May 2020


Twitter

“I’m rebelling against the mandatory nature of this app,” he said. “I don’t want to share my location 24/7 with the government.” He said the Indian app fared poorly against what Google and Apple were helping to build, plans that do not store personal information on centralized servers. “If I was coding this app, I would have chosen to keep data points to a minimum,” he said. “If I have your location information for a month, I can gauge a lot of things about your life.”

Jay’s concerns are rooted in the Indian government’s record. Ten years ago when the country rolled out Aadhaar, a biometric ID system that stored the fingerprints and iris scans of 1.3 billion Indians in a single database, signing up was voluntary. But soon, it was all but mandatory, required for everything from getting a cellphone connection to filing taxes

“My concern is that just like with Aadhaar, soon you won’t be able to go to a restaurant or a movie theater without the Aarogya Setu app installed,” said Jay. “Even if the government doesn’t make it mandatory, cinema owners are going to impose it on you. That’s the kind of culture we have.”

To assuage privacy concerns around the app, India’s government released a set of rules on Monday about how the app collects and uses data. Among other things, the order says that the data collected through the app will be anonymized and only used for COVID-19-related purposes, but is scant on details. Still, India is planning to add new features to the app in addition to contact tracing, such as telemedicine and e-passes that states can issue to let people move around once India lifts its national lockdown.

Jay said he was unlikely to stop hacking the app. “I’m going to keep up with them,” he said. “If they make significant changes or updates to the app, I’ll find other workarounds.”