Contact Tracing app "Aarogya Setu" is now opensource

[maj0r]

Indian Government made Aarogya Setu app is now opensource. Epic move.

Link: https://github.com/nic-delhi/AarogyaSetu_Android

Source: https://www.thehindu.com/news/natio...or-finding-security-flaws/article31681142.ece

PS: Some one needs to validate that this is indeed being pushed to phones from this repo for verification. Else, they could just opensource something and have users install another app.

 

[vishalrao]

Apparently this is just the frontend that is open source and the backend server side is not? So it's useless for security review and bug hunting?

 

[nimod]

moreover, India doesn't have any privacy protection laws in general.
So, any promise from GoI can be easily compromised by their backend-maintainers.

 

[maj0r]

Apparently this is just the frontend that is open source and the backend server side is not? So it's useless for security review and bug hunting?

I believe you meant the app/client side is opensource, correct? If backend is compromised, its a risk BUT its not going to be in the control of the user anyway for review. If client side, you still can find bugs within the client implementation. Example: Review traffic pattern,whether unsafe systems calls are being used or not, API calls initiated from client side to server side etc. (Technically, you could do MITM attack to inspect data send to backend. )

In my opinion, its still a decent start. Someone who has reviewed source would be a better judge of this.