Is Aarogya Setu App Secure?

Corona Virus or Covid-19 crisis is one of the greatest pandemic, mankind has ever seen. Millions are affected with the economy, the people, specially our front line workers who are giving everything just to ensure our safety. So to prevent this virus from spreading, some developers have given very unique and innovative ideas to tackle Covid-19. One of such idea which become very famous in India is the idea of Aarogya Setu App.

Aarogya Setu is an open-source application for CoVID-19 for contact tracing, syndromic mapping and self-assessment digital service. Primarily a mobile application, developed by the National Informatics Centre under the Ministry of Electronics and Information Technology.

Now, after providing the above information , we would move to our topic that is “Is this app secure?” . So I have performed the static analysis of the app. And got many security related issues in the app, so I decided to write an article and let you people know about app bugs and security issues by explaining about the issues and its impacts.

App Details

App Name :- Aarogya Setu

Package Name :- nic.goi.aarogyasetu

Main Activity :- nic.goi.aarogyasetu.views.SplashActivity

Android Version :- 1.1.3

Android Version Code :- 1047

Application Permissions

Name :- android.permission.ACCESS_BACKGROUND_LOCATION

Status :- Dangerous

Info :- Access location in background

Description :- Allows an app to access location in the background. If you’re requesting this permission, you must also request either.

Impact :- This permission will keep tracking you while you are not using app compromising your location privacy.

Name :- android.permission.ACCESS_COARSE_LOCATION

Status :- Dangerous

Info :- Coarse (network based) location

Description :- Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.

Impact :- Location Privacy is compromised

Name :- android.permission.ACCESS_FINE_LOCATION

Status :- Dangerous

Info :- Fine Location

Description :- Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.

Impact :- Location Privacy is compromised and user will experience heavy battery power drainage.

Name :- android.permission.ACCESS_NETWORK_STATE

Status :- Normal

Info :- View Network Status

Description :- Allows an application to view the status of all networks.

Impact :- Location Privacy is compromised and user will experience heavy battery power drainage.

Name :- android.permission.BLUETOOTH

Status :- Dangerous

Info :- Create bluetooth connection

Description :- Allows an application to view configuration of the local Bluetooth phone and to make and accept connections with paired devices.

Impact :- Can make the user device vulnerable to Blue jacking, Blue Bugging and Car Whispering through which a hacker can get remote access of the device.

Name :- android.permission.BLUETOOTH_ADMIN

Status :- Dangerous

Info :- Bluetooth Administration

Description :- Allows an application to configure the local Bluetooth phone and to discover and pair with remote devices.

Impact :- Can make the user device vulnerable to Blue jacking, Blue Bugging and Car Whispering through which a hacker can get remote access of the device.

Name :- android.permission.INTERNET

Status :- Dangerous

Info :- Full Internet Access

Description :- Allows an application to create network sockets

Impact :- This comes under dangerous permission but treated as normal permission. A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user. Because this type of permission introduces potential risk, the system may not automatically grant it to the requesting application. For example, any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities.(Source :- https://developer.android.com/guide/topics/manifest/permission-element)

Name :- android.permission.WAKE_LOCK

Status :- Dangerous

Info :- Prevent phone from sleeping

Description :- Allows an application to prevent the phone from going to sleep

Impact :- Dangerous permissions cover areas where the app wants data or resources that involve the user’s private information, or could potentially affect the user’s stored data or the operation of other apps. For example, the ability to read the user’s contacts is a dangerous permission. If an app declares that it needs a dangerous permission, the user has to explicitly grant the permission to the app. Until the user approves the permission, your app cannot provide functionality that depends on that permission.(Source :- https://developer.android.com/guide/topics/permissions/overview). Wake lock permission will keep the device stay on even causing battery drainage.

Name :- com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE

Status :- Dangerous

Info :- Unknown permission from android reference

Description :- Unknown permission from android reference

Impact :- This permission track the app from where it install.

Manifiest Analysis

Name :- Broadcast Receiver (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.

Permission :- android.permission.INSTALL_PACKAGES

Severity :- High

Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk. For exploiting broadcast reciever you can check the tutorial (https://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/#gref)

Name :- Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.

Permission :- com.google.android.c2dm.permission.SEND

Severity :- High

Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk. For exploiting broadcast reciever you can check the tutorial. (https://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/#gref)

Name :- Broadcast Receiver (nic.goi.aarogyasetu.background.BootReceiver) is not Protected. An intent-filter exists.

Severity :- High

Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.

Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Broadcast Receiver (nic.goi.aarogyasetu.utility.BluetoothLocationReceiver) is not Protected.An intent-filter exists.

Severity :- High

Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Recevier is explicitly exported.

Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Broadcast Receiver (nic.goi.aarogyasetu.utility.SmsReceiver) is not Protected.

Severity :- High

Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Recevier is explicitly exported.

Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.

Permission :- android.permission.BIND_JOB_SERVICE

Severity :- High

Description :- A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Code Analysis

These are some screenshots of issues of the Code Analysis with CWE number and CVSS score. These are the vulnerability found in static analysis of the code.

For more follow our :

Instagram https://instagram.com/witquake_cyberbyte?igshid=188g7rtxgewtf

YouTube Channel https://www.youtube.com/channel/UC2A-NDVO9XKTeqfXSt2jQvw

Thank You and Stay Tuned!!!

--

--

--

I write articles related to Cyber Security and Blockchain.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Educate executives and middle-management first | Effective security management part 2

The Internet of Things (IoT)

What Every CISO Should Know About Vendor Risk Management

VulnHub — Hacksudo: ProximaCentauri Walkthrough

The Birth of CypherPunks

Hack The Box : OpenKeyS Writeup

Ethernaut — Level 1 — Fallback

{UPDATE} Tricky Test 2™: Genius Brain? Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lavish Garg

Lavish Garg

I write articles related to Cyber Security and Blockchain.

More from Medium

Google to ban call recording apps from the Play Store!

A person attending a phone call.

Setup Android Avd Emulator Without Android Studio in Linux

Video Streaming Service Development: Features, Price, Pitfalls [2022]

Is Firebase Auth Secure?

Passports