Opprtunities for improving security in GoI apps
Recent nationwide lock down due to COVID19 situation has forced me to try using some of the apps designed by various agencies of the central and state governments in India. It is heartening to see that we have done some serious work towards adoption of digitization of several services. The apps that I tried using included:
- BHIM by National Payments Corporation of India (NPCI) https://play.google.com/store/apps/details?id=in.org.npci.upiapp&hl=en_IN
- Aarogya Setu by NIC (https://play.google.com/store/apps/details?id=nic.goi.aarogyasetu)
Interestingly, both of these apps came into being in response to a crisis situation. The BHIM system came into limelight after the November 2016 demonetization event. Aarogya Setu is believed to be an app for tracing COVOD-19 contacts of the people who may be infected by the virus. Lets talk about the BHIM app first. It seems to have matured today, and has a wide user base. The permissions required by BHIM app for its functioning are listed here under Permissions. I have copied them in Table-1 below. The description of this app states the following:
"BHIM (Bharat Interface for Money) is a UPI enabled initiative to facilitate safe, easy & instant digital payments through your mobile phone."
Anyone who has ever used the netbanking or other modes of online payments such as credit/debit cards and even services like PayPal, will know that to transact via those interfaces requires only the multi-factor authentication typically via username password and SMS based OTPs. Now just take a look at the permissions required by the creed of payment apps like BHIM, Google Pay, PayTM and so on. Of course the app developers will try to give justifications for why they needed all those permissions, the fact remains that they are not really necessary for the primary function of the app. In 90% of the cases a user of these kind of apps wants to use the app for sending or receiving relatively smaller amounts of funds, or just checking the balances and transaction details, etc. Pretty much the same functionality as available via netbanking accounts. Now take a look at the permissions sought from the user. Why would an app require the ability to automatically do the following, possibly without the user's knowledge:
- read and send SMS from my phone?
- directly call phone numbers?
- take pictures and videos on my phone?
- prevent device from sleeping?
- and so on (see Table-1 for complete list)
These permissions smell more of a snooping device than a consumer banking app! Alas, unsuspecting users just hit the "Accept and Install" button without paying much attention to the consequences of allowing all these permissions to an app on their phones. No wonder there is an ever increasing number of consumer banking frauds.
Table-1 Permissions required by BHIM app
Photos / Media / Files
Device ID & call information
Wi-Fi connection information
Now let us take a look at the Aarogya Setu app. As of today, the developers of this app have not published technical details about how this app works to achieve its stated purpose. It would have been nice to see at least something like what TraceTogether has published. Aarogya Setu, supposedly, makes use of the phone's Bluetooth features to detect whether a device (and hence the person carrying it) has come in proximity of a COVID19 infected person. It is not clear how the GPS location of the device is being used. On first time use, the app authenticates the user by sending an SMS OTP to the phone. Then a self-assessment survey is taken by the user. There are several short videos available on youtube that show the user interface of this app (e.g. this one is in Hindi). The Google Playstore listing of the app states that it requires the permissions listed in Table-2 below. However, if you carefully observed the video showing the working of this app, you will see that the app is able to automatically read the incoming SMS as well. That is how it was able to "automatically" capture the received OTP from SMS.
Table-2 Permissions required by Aarogya Setu app
In my view, the main worries about this app are related to the back-end. It is not clear how the contact tracing really works. It would be nice if the developer of this app publishes details about:
- What data is actually captured by the app and how is it stored on the server and the device, and for what purposes?
- How does the detection of COVID-19 exposure of a device (and hence the person carrying it) happen? Does it happen based on the self-declaration of the device user?
- How do you detect false alarms? How does the system deal with various attack scenarios where a device (not the person) maliciously or by error ends up in close vicinity of a known COVID-19 infected person's device?
The following reports are not something that will inspire much confidence in the app:
MIT Technology Review has a nice summary of the major COVID contact tracing apps available today: https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/