Aarogya Setu: The story of a failure

In order to fight Covid19, the Indian government released a mobile contact tracing application called Aarogya Setu. This application is available on the PlayStore and 90 million Indians already installed it.

Aarogya Setu - Apps on Google Play

This application is currently getting a lot of attention in India. In Noida, if people doesn’t have the app installed on their phone, a person can be imprisoned up to 6 months or fined up to Rs 1000.

No Aarogya Setu app? Pay Rs 1,000 fine or face 6 months jail in Noida

Access to app internal files

On April 3, 2 days after the launch of the app, I decided to give a look to the version 1.0.1 of the application. It was 11:54 pm and I spent less than 2 hours looking at it.

At 1:27 am, I found that an activity called WebViewActivity, was behaving weirdly. This activity is a webview and is, in theory, responsible of showing web page like the privacy policy for example.

AndroidManifest.xml in Aarogya Setu v1.0.1

The issue is that WebViewActivity was capable of doing a little bit more than that.

WebViewActivity in Aarogya Setu v1.0.1

As you can see, the onPageStarted method checked the value of the str parameter. If str:
- is tel://[phone number]: it will ask Android to open the dialer and pre-dial the number
- doesn’t contain http or https, it does…