NITI Aayog has open sourced the code of the Aarogya Setu app weeks after privacy concerns raised by various experts. The new move comes days after the contact tracing app crossed the mark of 10 crore registered users, 41 days after its launch in April. NITI Aayog has released the source code of Aarogya Setu’s Android version, which it said is used by 98 percent of its total users. The state-owned policy think tank, however, has plans to open source the code of its iOS and KaiOS versions at a later stage as well.
The source code of the Aarogya Setu’s Android version has been live on GitHub. National Informatics Centre (NIC) also announced a bug bounty programme to incentivise researchers finding flaws in the app. Furthermore, the NITI Aayog team specified that the source code of the iOS version of the Aarogya Setu app will be released within the next two weeks.
“I just want to point out that this is a very very unique thing to be done,” said NITI Aayog CEO Amitabh Kant while addressing a press conference pertaining to open sourcing the Aarogya Setu app on Tuesday. “No other government product anywhere in the world has been open sourced at this scale anywhere in the world.”
The Aarogya Setu app currently has over 11.50 crore registered users across all supported platforms. During the conference, Kant highlighted that the app already helped more than 1,40,000 people by alerting them about the potential risk of the coronavirus infection using its intrinsic contact tracing technology.
Security experts raised privacy concerns and urged the government to open source the code of the Aarogya Setu app soon after its debut last month. NITI Aayog, however, up until now pushed the open sourcing process with a view to regularly maintain the existing system. Nevertheless, the team is set to release all subsequent updates of the app through its repository on GitHub aside from releasing the existing code.
“The improvements announced today are a welcome development,” said Mishi Choudhary of legal services organisation SFLC.in. “Aarogya Setu should always have been open source, right from the get go and everything developed by the Government of India should always be open source as that’s tax payers’ money. We will be verifying that all code is open source and global best practices are followed.”
“I am glad that demands I had made about open source, bug bounties, detailed documentation are being followed,” she added. “Work to ensure that the app doesn’t mutate into any other vehicle that plays with sensitive information of such a large population should continue. GoI must also ensure that the de facto mandatory nature of the app should be addressed and people aren’t discriminated based on it. It must always remain voluntary.”
Some experts believe that open sourcing the app code is the first step towards improving user trust and security.
“While the move will go a long way in improving user trust and security, some significant steps remain before the app’s infrastructure can be called truly open source,” said Udbhav Tiwari, Public Policy Advisor, Mozilla. “This includes open sourcing the server-side code and ensuring that the app is built exclusively from its public repository.”
The team behind the Aarogya Setu app has promised to release the server code in the coming weeks. However, a concrete release date is yet to be announced.
Bounties for finding bugs and vulnerabilities
Aside from open sourcing the code, the government has launched the bug bounty programme that will be hosted by the MyGov team. The programme will enable security researchers to avail a Rs. 1 lakh worth of bounty for finding security vulnerabilities within the app. Furthermore, there will be an additional code improvement bounty of Rs. 1 lakh.
Details of the bug bounty program will be listed online on the MyGov website, although at the time of writing the site did not have the details visible.