As countries around the world rush to build smartphone apps that can help track the spread of Covid-19, privacy advocates have cautioned that those systems could, if implemented badly, result in a dangerous mix of health data and digital surveillance. India’s new contact tracing app may serve as a lesson in those privacy pitfalls: Security researchers say it could reveal the location of Covid-19 patients not only to government authorities but to any hacker clever enough to exploit its flaws.
Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.
“The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area,” says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. “With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.”
Security researchers like Robert have focused their attention on Aarogya Setu in part due to its sheer scale. The Indian government has declared the contact tracing app mandatory for many workers and it’s already been downloaded more than 90 million times according to government officials.
Read all of our coronavirus coverage here.
Unlike many of the apps rolling out across Europe now and soon in the United States, Aarogya Setu traces potentially infected people’s movements via GPS rather than Bluetooth data alone. It may represent a cautionary tale about how flawed implementations of contact tracing apps—particularly those that rely on location data—can lead to serious leaks of sensitive medical information.
“I expect many of the contact tracing apps to have these types of issues, and I think particularly the ones that rely on GPS are going to be more privacy invasive,” says Ashkan Soltani, a former Federal Trade Commission lead technologist who reviewed Robert’s