On 12 August, a Mumbai-based cybersecurity company published a detailed blog explaining how it discovered the source-code for the complete Aarogya Setu platform including its back-end infrastructure exposed on the public internet.
Shadow Map, a cyber-threat intelligence platform owned by Security Brigade, stated that on 23 June, while preparing a report on risks on ‘gov.in’ domains, it discovered one of Aarogya Setu’s developers had left the original Github URL along with its username and password in plain-text in a folder accessible to the public.
The blog stated that with the access credentials left open, the company was “able to download the source code for the Aarogya Setu website, Swaraksha portal, back-end APIs, web-services, internal analytics.”
The platform had also claimed its analysis found out the team was storing security keys like encryption tokens and passwords to its cloud infrastructure in plain-text inside the source code.
However, on Friday, Shadow Map updated on its site that stakeholders in the app have informed them the code that was published on Github was a test backend code and not the production code.
“While the ministry claims this was not production code we are yet to see any evidence. Rarely test code and production codes are different,” said Srinivas Kodali, an independent security researcher.
Aarogya Setu, a contact tracing app for COVID-19, was developed by the Government of India along with private companies and launched on 2 April. The app is considered to be among the fastest growing mobile applications in the world and claims to have over 150 million users on the platform.
Govt Threatened Legal Action, Blog Taken Down
The publication of the blog on Wednesday had not gone down well with the ministry. Late on Wednesday evening, the Ministry of Electronics & IT issued a sternly worded press statement decrying the blog’s “malicious, nefarious and unsubstantiated claims on security issues in Aarogya Setu App.”
The platform said that it had reported the security risk to NIC, NIC CERT and stakeholders in the Aarogya Setu team but received no acknowledgement or response from them. The issue though was fixed within 24 hours, the blog stated.
Describing the post as a “serious offence”, the press release stated “all necessary legal action will be taken by the Government against the entity concerned.”
Shadow Map took down its blog on Wednesday night after the government’s threat. In a surprising move, the ministry also withdrew its press release.
A ministry official said on 12 August that a new and updated press release will be issued soon. MediaNama had republished the blog, which too, was later unpublished.
Yash Kadakia, founder, Security Brigade clarified on 12 August that “we have repeatedly asked relevant stakeholders on anything they may find to be sensitive but have no received any official response.”
“Moreover I'd like to reiterate that the issue was responsibly reported to the NIC team but no response was received from them,” Kadakia added.
On Friday, 14 August, Shadow Map, in its updated blog, stated, “We can unequivocally state that no data was breached nor could it have been. We have been reassured that the data of citizens inside the Aarogya Setu application is safe and the platform continues to be safe and secure.”
The ministry’s press release had also iterated, “Aarogya Setu users are assured that no user data has been compromised due to the alleged vulnerabilities.”
What Shadow Map Found
Cybersecurity company Security Brigade, via its threat intelligence platform Shadow Map, claimed a number of major security risks within the app, some of which have been fixed while some continue to be active.
First, with the login credentials left lying in the public web root folder, Shadow Map attempted to access the user account on the Github website. In doing so it encountered two-factor authentication.
By leveraging the Github API, the team could bypass the 2FA check and directly access the list of repositories within the account.
“A few minutes later, we had a list of 10 repositories and were able to download the source code for the Aarogya Setu website, Swaraksha portal, back-end APIs, web-services, internal analytics / correlation code, SQS Handler, OTP Service, etc,” they wrote in their blog.
Security Concerns Raised
The ShadowMap team has not made the source code public, but had published their analysis of the source code and highlighted what they found to be “areas of concern.”
While the company clarified that the app’s stakeholders had informed that the code was a test code, some of the major concerns highlighted continue to be valid and are yet to be addressed by the ministry or the app development team.
1. Private sector involvement in developing and managing Aarogya Setu: Based on its analysis of the source code, Shadow Map claimed “it is clear that several private organisations are heavily involved in the development and management of the Aarogya Setu platform.”
They found private domains, sub-domains and servers being used to host code and data from the Aarogya Setu infrastructure.
2. Security of Data on Cloud Platforms: The platform is built largely on Amazon AWS infrastructure and leverages other platforms like Google Firebase.
The Shadow Map analysis also found out the team was storing security keys to cloud infrastructure in plain-text inside the source code. This vulnerability can be exploited to access, read, write, update and delete data stored in Firebase.
“Even after reporting the problem to concerned authorities, these keys were not revoked and remain active after 45 days,” the blog stated.
3. Security Audit: Stressing on the need for independent security audits, Shadow Map stated in its conclusion, “The larger problem we should be talking about is the lack of transparency, third party assessment, audit trails, In one word, we need Accountability.”
Questions Still Remain
However, despite the clarification made by the National Informatics Centre’s CERT and stakeholders in the app about the exposed source code being a test code, the security community say a number of questions and concerns remain unaddressed:
1. Why not release the full source code of Aarogya setu?: While the government had released the source code for the Android version on Github, it was not the source code for the entire platform.
Security researchers have previously raised this point and since the publication of the now removed blog, say all the ten repositories that Shadow Map found should be made open source so that they can be checked for security risks.
2. No evidence provided: Questions have also been raised on the claim regarding test code and production code. “While the ministry claims this was not production code, rarely test code and production code are different. By not releasing entire source code of Aarogya Setu ministry is able to claim things that no one can verify,” said Srinivas Kodali and independent researcher.
4. Need for Security Audit: The ministry, in its press statement or the communication made to Shadow Map, does not clarify whether any independent security audit of the platform has been carried out in the four months since the app’s launch.
5. Bug Bounty: Interestingly, the government had also announced a bug bounty program for Aarogya Setu of up to Rs 3 lakh. Given that the government had indeed fixed the issues reported by Shadow Map, why aren’t they eligible for a bounty?