As many of you are aware, MeitY has released the Android version of Aarogya Setu’s source code on GitHub. I have been reading analysis of the code by techies but a lot of it is incomprehensible for my lawyer brain. If any of you are planning to analyse the code, could you please share your insights here in a form that would be understood by a layperson? This will really help us get a sense of what kind of vulnerabilities exist, how severe they are and to what extent they can be mitigated within the present architecture of the app.
From what I have seen on GITHUB so far, here’s a very quick and basic summary -
The Server and Cloud component source codes have not been released. They have said that they will be released subsequently, but it is anyone’s guess why they have not yet done this, given that the App and the Server side code usually work in unison.
The source code released for the Android seems to essentially be a wrapper on https://web.swaraksha.gov.in, whereas the code for the said website has not been released yet. So what has been released has only marginal value. It is more for news headlines than actual transparency.
A large number of issues are actually feature requests, which may or may not go on to become future enhancements. Some are frivolous, while some others may be genuinely useful, notwithstanding the inherent limitations of Contact Tracing itself.
It is worth bearing in mind that the Android app underwent an update 2-3 days before the app code was released on GitHub. It is not clear whether that update was a code cleanup / enhancement / patches etc etc.
Things will be clearer when the backend component source code is also released in line with government stated (sic) policy.
Hi, thanks for this explanation! Just wondering what you mean by feature requests? Is it a technical term or is it about new features like e-pass, telemedicine etc being integrated with the app?
Your interpretation is correct. Some of these Issues are mostly requests from the community that maybe the app can do this, do that, also this and also that.
Developers have been raising concerns over github, but there seems to be little to no response from the app developers themselves. Also they’re using Google cloud platform as their backend, which is by law can be requested by USA to drop in into the servers or give required access when required. (Read more on FISA orders).
This is concerning because we aren’t entirely sure of what kind of data is actually stored on the server side and the level of anonymity maintained along with it.
The issue comes back to the lack of data protection laws and privacy laws in general, high time we get it passed! Thoughts?
Thanks for this update! The fact that they are storing data on Google Cloud is particularly interesting because the govt’s own Personal Data Protection Bill requires data localisation for sensitive personal data.