In a major win for privacy, transparency and accountability, Aarogya Setu has made its code open source for the Android client, NITI Ayog CEO Amitabh Kant announced at a press conference today. MyGov CEO Abhishek Singh also announced a bug bounty programme for the app that will be hosted on the Innovate platform. The source code is available on GitHub and went live at May 26 midnight, the day of the press conference. Until then, the link shared in the press release showed a 404 error. Details of the bug bounty programme haven’t gone live on the Innovate platform yet, but are available on Aarogya Setu’s official Twitter page.

“All subsequent updates will be made through this repository,” Kant said. iOS source code will be made open source in a few days. The source code for the back-end infrastructure will be made open source next week. This means, that cybersecurity and privacy researchers can audit the code and assess it for security and privacy.

Kant was accompanied by Principal Scientific Advisor K. Vijay Raghavan, Dr Neeta Verma, the Director General of NIC, and the MEITY Secretary Ajay Prakash Sawhney. MyGov CEO Abhishek Singh will join the conference later. It is significant that the Principal Scientific Advisor was present because he will set up the expert committee that will govern sharing of anonymised data with research institutions as per the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 that the IT Ministry had released on May 11. Raghavan compared the use of this app to “digital immunity”.

“More than 3,000 hotspots at sub-office post office level have been predicted 3-17 days in advance,” Kant said. Via self-assessment, they reached out to more than 8 lakh people and alerted more than 140,000 Bluetooth contacts, he said.

Kant acknowledged the contributions of Deep Kalra (MakeMyTrip), Lalitesh Katragadda (ex-Google), Arnab Kumar (NITI Aayog), Seema Khanna (NIC), Prashant Tandon (1mg), and Vikalp Sahni (MakeMyTrip), Rahul Goyal (MakeMyTrip) and their teams. Singh announced that Indian Institute of Science (IISc) Bangalore was also involved in the development of this app. Raghavan said Professor Bharadwaj of IISc, along with Dr V. Kamakoti of IIT Madras was involved in the development of this app. Raghavan also acknowledged Rahul Matthan and Arghya Sengupta’s contributions to legal development of the app. Matthan had developed the app’s privacy policy, and Sengupta had developed the data sharing Protocol.

NITI Aayog started this project, but then handed it over to MEITY, Kant said, and it was developed over 3 weeks.

Sawhney said that 98% of Aarogya Setu users use it on Android which is why they are starting with Android open source code first. iOS and KaiOS source code will be released in “due time”, Sawhney said.

Arnab Kumar, the then Program Director of Frontier Technologies at NITI Aayog, who has been spearheading the project had told MediaNama in a conversation on April 22 that the app would be made open source once the product is stable. After the latest Privacy Policy update, that removed the ban on reverse engineering and created an option for people to report bugs and defects, this is definitely a move towards greater transparency.

Bug bountry programme has three categories of security vulnerabilities with a bounty of Rs 1 lakh each, and another one for Rs 1 lakh, Verma said in response to a questions. E-pass integration is underway. “In future, if any other application that can serve the public can be integrated, we will be open to that,” she said. But Sawhney clarified that “we don’t want to take up too much other deep tech integration at this stage” and will limit its purpose to contact tracing, self-assessment tests and issuing alerts for particular geographical areas. “While other things might happen, we are not focussing on them right now,” Sahwney said.

The app turns red only when ICMR identified lab tests a person positive for COVID-19, Sawhney clarified. Rahul Matthan and Arnab Kumar told MediaNama about this in April.

Yash Kadakia, founder of and chief technology officer at Security Brigade, was one of the cybersecurity experts who looked at the app’s code over the last week. The developers of the app had approached the Data Security Council of India, and DSCI in turn recommended a couple of firms to work on this. “They didn’t engage just one; they engaged five or 6 separate firms to take this up in parallel. The idea was to get as many eyes on it as possible,” Kadakia told us.

Rama Vedashree, the CEO of DSCI, confirmed that DSCI engaged with the Ministry of Electronics and Information Technology (MEITY) on this. She also said that Dr V. Kamakoti, professor at IIT Madras and part of the National Security Advisory Board, was also involved in conducting the security audit.

The app did not require any significant changes apart from minor changes to the algorithm in use, as per Kadakia. “They had done a fairly decent job anyway to start with,” he said. “So everyone reviewed the way the DiD [device ID], what is being uploaded, the privacy aspects of it, what encryption is being used,” he said.

“But looking at the backend is where the real security implications might come in as well from a general security standpoint, but from a privacy standpoint, it’s the app that matters. … that part is already reasonably covered,” Kadakia said.

Thus far, the code for iOS and backend infrastructure has not been shared with the cybersecurity experts. Kadakia expects that the iOS code will be shared with them ahead of the iOS source code release, while backend infrastructure code will be shared next week.

Considering the broader implications of the move, Kadakia was pretty appreciative: “I don’t think the government has really open sourced or released a bug bounty like this before.”

Open sourcing the code for Aarogya Setu has been one of the key demands of privacy and cybersecurity advocates. Professor Subhashis Banerjee, of IIT Delhi, had said, “Making the source code open should be mandatory. When you are making a public application it has to be eyeballed by many people. Basic ethics and propriety demands that to have happened. There is a backend that is more opaque.”

Since the app’s release as a public-private partnership on April 2, there had been a growing clamour for open sourcing the app. It reached critical mass once French cybersecurity researcher Robert Baptiste, better known by his Twitter name Elliot Alderson, tweeted security risks associated with location data collection and called for open sourcing the app. On May 16, the app was released on KaiOS, the operating system on which Jio’s smartphones run.

This is a developing story. We will keep updating it.

Update (May 27, 2020 12:33 am): Updated with information about live GitHub links and Bug Bounty Programme. Headline updated from “Aarogya Setu open sources its Android code: Major win for privacy, accountability”. Originally published on May 26, 2020 at 7:10 pm.

Correction (7:24 pm): The first version of this article suggested that Ms Vedashree had confirmed the companies that were involved in the audit. That is not the case. She had confirmed that DSCI had engaged with MEITY on analysing this app. The misleading ambiguity is sincerely regretted.

Get the latest updates from MediaNama on Telegram. Subscribe at https://t.me/medianama