Aarogya Setu’s backend code has been released on government-owned open source repository OpenForge (available here). With this, the source codes of the Android and iOS apps, and of the backend servers have been placed in open domain; only the source code of KaiOS app remains unreleased.

Anivar Aravind, a public interest technologist and part of SFLC.in’s advisory board, tweeted, “The demand was not forsome [sic] random backend code snippets. It was for server code, deploy functions and verifiable builds from free and open source repositories. This @NICMeity effort looks like an effort to fool people with some nonfunctional code snippets as ‘Backend code’“. Aravind has filed a PIL in the Karnataka High Court seeking a permanent injunction against the app and had also asked for the server side code to be open sourced.

The government of India had put the source code of the Android client in the public domain via GitHub on May 27. However, NIC-CERT had later said that the Aarogya Setu code on GitHub is “test backend code”, not the “production code”. While announcing the open sourcing of Android source code, the National Informatics Centre (NIC) had also announced a Bug Bounty Programme; submissions for which were accepted until June 26. Despite receiving 1,451 submissions through the programme, the NIC has not yet declared the winner(s).

The iOS source code was released in the public domain on August 10 without any such ceremony. Unlike the Android code, the iOS code was released on OpenForge and had no Bug Bounty Programme attached to it. In a Right to Information response to MediaNama on September 30, the NIC said that the results for the Android Bug Bounty Programme would be announced “shortly”, as would a Bug Bounty Programme for the iOS app.

Since its launch on April 2, the Indian government’s contact tracing app has been mired in one controversy after another. Unlike contact tracing apps used in other countries, that only rely on Bluetooth, Aarogya Setu also tracks a users’ location. This, along with other features of the app as well as its iterative Privacy Policy and Terms and Conditions have raised significant concerns around its incursions into people’s privacy. As it is, the app is envisioned as the first building block of India’s National Health Stack.

The Ministry of Home Affairs made the app mandatory for all employees across the country on May 1. In its subsequent lockdown order, however, the MHA made it voluntary. Despite that, a number of public and private entities have been making the app a mandatory requirement for access to services and locations.

Read more: