Is Aarogya Setu App Secure?

8 min readMay 28, 2020

Corona Virus or Covid-19 crisis is one of the greatest pandemic, mankind has ever seen. Millions are affected with the economy, the people, specially our front line workers who are giving everything just to ensure our safety. So to prevent this virus from spreading, some developers have given very unique and innovative ideas to tackle Covid-19. One of such idea which become very famous in India is the idea of Aarogya Setu App.
Aarogya Setu is an open-source application for CoVID-19 for contact tracing, syndromic mapping and self-assessment digital service. Primarily a mobile application, developed by the National Informatics Centre under the Ministry of Electronics and Information Technology.

Now, after providing the above information , we would move to our topic that is “Is this app secure?” . So I have performed the static analysis of the app. And got many security related issues in the app, so I decided to write an article and let you people know about app bugs and security issues by explaining about the issues and its impacts.

App Details

App Name :- Aarogya Setu
Package Name :- nic.goi.aarogyasetu
Main Activity :- nic.goi.aarogyasetu.views.SplashActivity
Android Version :- 1.1.3
Android Version Code :- 1047

Application Permissions

Name :- android.permission.ACCESS_BACKGROUND_LOCATION
Status :- Dangerous
Info :- Access location in background
Description :- Allows an app to access location in the background. If you’re requesting this permission, you must also request either.
Impact :- This permission will keep tracking you while you are not using app compromising your location privacy.

Name :- android.permission.ACCESS_COARSE_LOCATION
Status :- Dangerous
Info :- Coarse (network based) location
Description :- Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
Impact :- Location Privacy is compromised

Name :- android.permission.ACCESS_FINE_LOCATION
Status :- Dangerous
Info :- Fine Location
Description :- Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
Impact :- Location Privacy is compromised and user will experience heavy battery power drainage.

Name :- android.permission.ACCESS_NETWORK_STATE
Status :- Normal
Info :- View Network Status
Description :- Allows an application to view the status of all networks.
Impact :- Location Privacy is compromised and user will experience heavy battery power drainage.

Name :- android.permission.BLUETOOTH
Status :- Dangerous
Info :- Create bluetooth connection
Description :- Allows an application to view configuration of the local Bluetooth phone and to make and accept connections with paired devices.
Impact :- Can make the user device vulnerable to Blue jacking, Blue Bugging and Car Whispering through which a hacker can get remote access of the device.

Name :- android.permission.BLUETOOTH_ADMIN
Status :- Dangerous
Info :- Bluetooth Administration
Description :- Allows an application to configure the local Bluetooth phone and to discover and pair with remote devices.
Impact :- Can make the user device vulnerable to Blue jacking, Blue Bugging and Car Whispering through which a hacker can get remote access of the device.

Name :- android.permission.INTERNET
Status :- Dangerous
Info :- Full Internet Access
Description :- Allows an application to create network sockets
Impact :- This comes under dangerous permission but treated as normal permission. A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user. Because this type of permission introduces potential risk, the system may not automatically grant it to the requesting application. For example, any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities.(Source :- https://developer.android.com/guide/topics/manifest/permission-element)

Name :- android.permission.WAKE_LOCK
Status :- Dangerous
Info :- Prevent phone from sleeping
Description :- Allows an application to prevent the phone from going to sleep
Impact :- Dangerous permissions cover areas where the app wants data or resources that involve the user’s private information, or could potentially affect the user’s stored data or the operation of other apps. For example, the ability to read the user’s contacts is a dangerous permission. If an app declares that it needs a dangerous permission, the user has to explicitly grant the permission to the app. Until the user approves the permission, your app cannot provide functionality that depends on that permission.(Source :- https://developer.android.com/guide/topics/permissions/overview). Wake lock permission will keep the device stay on even causing battery drainage.

Name :- com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
Status :- Dangerous
Info :- Unknown permission from android reference
Description :- Unknown permission from android reference
Impact :- This permission track the app from where it install.

Manifiest Analysis

Name :- Broadcast Receiver (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission :- android.permission.INSTALL_PACKAGES
Severity :- High
Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk. For exploiting broadcast reciever you can check the tutorial (https://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/#gref)

Name :- Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission :- com.google.android.c2dm.permission.SEND
Severity :- High
Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk. For exploiting broadcast reciever you can check the tutorial. (https://resources.infosecinstitute.com/android-hacking-security-part-3-exploiting-broadcast-receivers/#gref)

Name :- Broadcast Receiver (nic.goi.aarogyasetu.background.BootReceiver) is not Protected. An intent-filter exists.
Severity :- High
Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Broadcast Receiver (nic.goi.aarogyasetu.utility.BluetoothLocationReceiver) is not Protected.An intent-filter exists.
Severity :- High
Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Recevier is explicitly exported.
Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Broadcast Receiver (nic.goi.aarogyasetu.utility.SmsReceiver) is not Protected.
Severity :- High
Description :- A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Recevier is explicitly exported.
Impact :- If the developer doesn’t enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.

Name :- Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission :- android.permission.BIND_JOB_SERVICE
Severity :- High
Description :- A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Code Analysis

These are some screenshots of issues of the Code Analysis with CWE number and CVSS score. These are the vulnerability found in static analysis of the code.