🇮🇳 Aarogya Setu Security: a code review
It’s been 3 weeks since I published TraceTogether: under the hood, a summary of my security review of Singapore’s TraceTogether mobile app developed by GovTech Singapore for community-driven tracing to mitigate the spread of COVID-19.
Since then, both TraceTogether and my independent review of what’s under the hood have amassed much attention from the global community. TraceTogether’s novel approach of using Bluetooth Low Energy for contact tracing have inspired other Countries to replicate it, and industry juggernauts Apple & Google have committed to bake similar contact tracing technology into iOS and Android.
This morning, a reader Gowtham Raj requested if I could perform a similar investigation on India’s contact tracing application, Aarogya Setu. Aarogya Setu’s approach is fundamentally different from TraceTogether, for it collects “anonymised, aggregated datasets for the purpose of generating reports, heat maps, and other statistical visualisations for the purpose of the management of COVID-19 in the country”. With 10 Million downloads on Android alone since launch and privacy advocates expressing concern on a lack of Aarogya Setu’s “information collection, purpose limitation, data storage, institutional divergence, and transparency and audibility” policies, it might be worthwhile to compare Aarogya Setu’s technical approach with that of TraceTogether.
Similar to my TraceTogether article, I’ll selectively highlight facts I find interesting. I picked Aarogya Setu’s Android APK as the target as it is more accessible for inspection than iOS applications. Details within sections are graduated, so simply forward to the next section should it be too much to follow.
#1 — On the Cloud
Aarogya Setu employs managed Amazon Web Services (AWS) for it’s backend. This allows Aarogya Setu to scale up rapidly in the cloud to support millions of users in India. NSLookup on the two API hostnames reveal the use of Elastic Load Balancing for static content and API Gateway products. Further inspection of HTTP headers show that static content is served by nginx. Datacenters are in Mumbai, as indicated by AP-South-1.
#2 — Data Records & SQLite Storage
Similar to TraceTogether, Aarogya Setu uses SQLite for on-device record storage. The schema creation statements provide interesting insights as to the data Aarogya Setu intends to collect.
The most distinguishing feature of Aarogya Setu when contrasted to TraceTogether is its collection of the user’s latitude and longitude information in nearby_devices_info_table as neighbouring devices are detected.
Aarogya Setu stores literal bluetooth_mac_address of neighbouring devices. TraceTogether generates and stores cryptographic hashes instead of literal bluetooth mac addresses of neighbouring devices during broadcast.
Interestingly, unlike TraceTogether, Aarogya Setu do not collect device types of neighbouring devices.
#3 — Data Retention Policy
Unlike TraceTogether, there is no policy in Aarogya Setu, both in code or writing, to purge records from the SQLite database on the user’s device after a predetermined period of time. This is similar to TraceTogether when it first launched, for the development team “did not have time to build and test this before launch, and decided to defer it to a post-launch update”: it could be a similar case with Aarogya Setu. Similarly, it’s no biggie if records are stored indefinitely, though it’d be nice to do some basic housekeeping should the situation prolong itself and necessitate the extended use of the application.
#4 — Runtime Security: Rooted Device Detection and Certificate Pinning
There is some evidence of runtime security implementations to prevent OS tampering on rooted devices and SSL (certificate?) pinning to safeguard against MITM (Man-in-the-middle) attacks. I did not verify the detailed functionality of either implementations: I’m giving the developers the benefit of doubt in the soundness of their implementations.
#5 — Application Layer Encryption
This came across as a surprise: on top of TLS (Transport Layer Security) that’s free from the use of HTTPS (Secure HTTP), Aarogya Setu encrypts latitude and longitude data in the application using AES-GCM or RSA (depending on Android version) prior to sending it over the network. I verified the data path from SQLite retrieval thru encryption. However, I did not put in much time to understand how the keys are managed, and therefore the additional privacy safeguards achieved with this additional layer of encryption.
Similar to TraceTogether, I only set aside half a day for this exploration. I hope I’ve shed some light on the inner workings of Aarogya Setu. The pandemic is growing at an alarming rate and challenging humanity at an unprecedented level: I urge all my readers to be socially responsible and to cooperate with your respective state agencies in curbing the spread of the virus. Stay safe.
Download Aarogya Setu from Apple App Store or Google Play
