Aarogya Setu Open Source – Free PDF Download

Table of Contents

Changed stance

In a departure from its previous stance, the government released the source code of its contact tracing app Aarogya Setu.
Ministry of Electronics and Information Technology announced that it has released the source code of Aarogya Setu app to promote transparency and collaboration with the software developer community
The source code was released in line with its “Policy on Adoption of Open Source Software for Government of India”.
The IT Ministry’s move came in the wake of demands from cyber law experts and critics who had said the app was too closed in nature and without adequate data protection measures.
The release of the app’s Android source code (which 98 per cent of the 115 million Aarogya Setu users use) comes nearly two months after the app was released on April 2.
It has been uploaded on GitHub.

Source code is the part of software that computer programmers can manipulate its working and function.
Programmers who have access to a computer program’s source code can improve that program by adding features.
Software can be divided into two broad categories –

Any software that has to be bought or licensed from the creator of the software is called a proprietary or closed-source software.
Examples –

The intellectual property rights of the software, even if bought or licensed, remains with the creator.

Open Source refers to a source which people can modify and share because its design is publicly accessible.
Open-source software requires no licensing and need not be bought.
Its source code is open for everyone to download, examine, redistribute, and improve upon if they can, with an acknowledgment to the original software coder or the company.
Examples – VLC Media Player, Audacity , Mozilla browser.

When launching the app on April 2, the IT ministry had explicitly mentioned in the terms of use that no one was allowed to reverse-engineer the app or alter with the coding of the app.
This led to critics questioning whether the app could be used for surveillance and go beyond its mandate of contact tracing.
Cyber law experts and the software developer community called upon the government to allow reverse engineering and also publish the source code of the app so that it could be seen by anyone.

National Informatics Center said the government’s internal assessment found potential vulnerabilities in the app, calling for developers to attempt to solve the concerns in a detailed technical document.

The bug bounty programme will give rewards in 2 categories security vulnerability reporting and suggestions for improvement in the source code.
The programme has a goal to partner with security researchers and Indian developer community to test the security effectiveness of Aarogya Setu and also to enhance its security and build user’s trust.
It is aimed at encouraging the Indian developer community to find security flaws in the app and get rewarded.

The IT Ministry’s own policy from 2016 states that all software used by the government will be open source as far as possible
Still, the Ministry had initially barred individuals from reverse engineering the code of Aarogya Setu.

Government has not yet released the server-side code of the app. Sending and processing of data is done on the server.
By having access to the server-side data, individuals can check whether the data provided to the app is flowing directly to the dedicated servers or not.
If not, either the discrepancy can be reported or clarifications can be sought from the government.
The source code of older version has been provided.