Part 2: Truth Behind Propaganda Against the Aarogya Setu App Security!

Well before reading this blog, I would highly recommend going through my previous blog Part 1 – Truth Behind Propaganda Against mAadhaar Security. These blogs will help you to understand the pattern/sequence of wrong allegations made against Indian Govt Apps. Moreover, the intention behind these activities was not to help the government/people but to scare millions of people and to disturb the peace.

Note: This post is a purely technical review of false claims made against the Aarogya Setu App by one of the self-claimed researcher.

How I qualify to make an analysis of claims against hacking the Arogya Setu Mobile App?

  • In the last 2 years, I’ve pentested more than 300+ mobile apps (iOS + Android) of top companies and also won a bounty of (~USD 200,000) in just mobile section.
  • I’m the author of the book “Learning iOS Penetration testing” which is dedicated to mobile app security.
  • I also lead OWASP iGoat– iOS App focused to learn mobile app security.

A few days back, I saw news claiming the Government’s new app Aarogya Setu got hacked!

Screenshot 2020-05-08 at 11.06.08 AM.png

One more scary news in the local language was like below:

Screenshot 2020-05-08 at 11.01.51 AM.png

Also, claim from self-claimed hacker was

The privacy of 90 million Indian users is at stake due to a security vulnerability found in the app

That’s scary!!! Right? Did our personal info got compromised?

I did some research and found there is a blog claiming How the Aarogya Setu app can be hacked. I’m just decoding that blog https://medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34.

Part 1:  Access to App Internal Files

He mentioned using WebViewActivity, he was able to access the FightCorona_prefs.xml file or another internal file.

Well, how you will exploit this vulnerability in the real-world? It’s possible to exploit only if an attacker gets an unrestricted access to your device.

How are you planning to get unrestricted access to 90 million users’ devices?

Part 2:  Bypassing Root Detection Using Frida

In the blog, he mentioned that he was able to bypass root detection! Ok! So What? These are client-side validations and can always be bypassed with less or more time!

My question is can you develop an app where it’s not possible to bypass the root detection? I can see the same/similar issues again and again from mAadhaar.

Part 3: Bypassing SSL Certificate Pinning

In the blog, he mentioned that he was able to bypass SSL Pinning. Again, what’s the impact here? What are the pre-requisites to exploit this attack?

In order to exploit this issue, an attacker needs to add a malicious certificate to the victim’s device. How will you install malicious certificates in millions of users’ devices?

Part 4: Finding Infected People In Area

Then he mentioned about infected people in the PMO office using below:

– PMO office: {“infected”:0,”unwell”:5,”bluetoothPositive”:4,”success”:true,”selfAsses”:215,”usersNearBy”:1936}

Ok! Can you tell us the names / personal info / PII of infected people in PMO Office?  Otherwise, this is the app’s functionality or it’s app by design to get the heads up on infected people around you.

Let’s make the list of vulnerabilities mentioned:

  1. Access to App’s Internal Files – Low Severity
  2. Bypassing Root Detection Using Frida – Low Severity
  3. Bypassing SSL Certificate Pinning – Low Severity
  4. Finding Infected People In Any Area – Low/info Severity (It’s the app by design)

Bug Bounty: If you don’t know what is bug bounty, it’s a process in which people can report security issues in apps, and companies pay them money (bounty) based on criticality/impact of the vulnerability.

Do you want to know how much a company would pay even if someone reports all of the above issues? It would be USD 0 or may be disqualified based on the pattern of issues!

Final Conclusion: Vulnerabilities discussed didn’t disclose any PII / Personal Data / Age / Name of any COVID-19 Patients or Arogya Setu App Users. Forget about 90 millions but not even single user’s data got exposed! Bug Bounty Companies would pay USD 0 for these type of issues! Now you can decide, are these really security threats or just a publicity stunt?

There is a more interesting and genuine analysis of Aarogya Setu App and it can be found here https://medium.com/@frankvolkel/aarogya-setu-under-the-hood-5660860d2374

In fact,  I would say the Aarogya Setu App is a success story! Millions of users downloading this app and helping people to get aware of nearby patients around them!

I also agree that government apps should have proper channels / bug bounty programs to receive security issues. India has one of the largest infosec community and can help government apps to get them more and more secure.

References:

 

One thought on “Part 2: Truth Behind Propaganda Against the Aarogya Setu App Security!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s