The Indian government’s contract tracing app, Aarogya Setu, announced that it has open-sourced the code for the iOS version, said Gadgets360. This move was taken after the digital risk management platform ShadowMap found security vulnerabilities.
The code for the Android version of the application was released on OpenForge in May, almost two and a half months earlier than the iOS version. Initially, the government promised to release the iOS code two weeks after the app’s Android version was published.
The release on OpenForge, an open-source platform owned by the Indian government, satisfied the requests of the app developers who have been calling for the code to be open-sourced for analysis and bug reporting in light of the Bug Bounty Program.
The Bug Bounty Program is an initiative launched by the government that offers Rs. 1 lakh to those who successfully find and report flaws.
In connection, developers have been slamming the government for not uploading updated versions of the Android code. The lack of open sourcing for the server aspect of the code has also been under fire, according to Live Mint.
Publishing the server-side gives developers the chance to see how the data obtained using the application is being used.
In a now-removed but archived post by ShadowMap published on August 12, it was revealed that Aarogya Setu’s Android code and back-end infrastructure found on the development platform GitHub was exposed to on the internet.
This is “part of an internal research project” in which the platform scans and analyzes GOV.in domains to help India’s national cybersecurity agency CERT-In identify and address risks. The firm was able to obtain login credentials for the GitHub account that handles the app.
The security flaw resulted in ShadowMap being able to log into the account, giving it access to source codes for various services such as the Aarogya Setu website, back-end APIs, web services, Swaraksha portal, internal analytics, and many others.
According to ShadowMap, “We noticed that one of the Aarogya Setu servers had been recently updated and one of its developers had accidentally published their Git folder into the public webroot, along with the plain-text user name and password details for the official Aarogya Setu GitHub account.”
The flaw was flagged on June 23 and was addressed by CERT-In within 24 hours, as per a follow-up report by ShadowMap.
Aside from the flaws found by the platform, some experts have also raised privacy concerns that resulted in researchers urging the government to open-source the code.