India said it will publicly release the source code of its contact tracing app, Aarogya Setu, in a relief to privacy and security experts who have been advocating for this ever since the app launched in early April.
Ajay Prakash Sawhney, secretary in the ministry of electronics and information technology, made the announcement on Tuesday, dubbing it as “opening the heart” of Aarogya Setu app, which has amassed over 114 million users in less than two months, to allow engineers to inspect and tinker with the code.
The source code of Aarogya Setu’s Android app will be published on GitHub at midnight Tuesday (local time). Sawhney said the government will also offer cash prize of up to $1,325 for identifying and reporting bugs and vulnerabilities in the code of Aarogya Setu. (Nearly 98% of Aarogya Setu app are on Android platform.)
Several privacy and security advocates, as well as India’s opposition party, had urged the government to release the code of the app for public auditing after a handful of vulnerabilities were spotted in the app.
Sawhney said today’s move should allay people’s concern with the app that is designed to help curb the spread of the coronavirus disease. Earlier this month, Sawhney said the government was not open sourcing Aarogya Setu app as it worried that it would overburden the team, comprising of mostly volunteers, that is tasked to develop and maintain the app.
“Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration,” the government ministry said in a statement. “Aarogya Setu’s development has been a remarkable example of collaboration between government, industry, academia, and citizens.”
Aarogya Setu, unlike the contact tracing technology developed by smartphone vendors Apple and Google, stores certain data in a centralized server. Privacy experts, including researcher Baptiste Robert, had argued that this approach opens the app to potential data breaches and leaks.
More to follow…