Useful Android Apps

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Rahul Gandhi ने Media से Lockdown, Arogya Setu App, Modi Government की Corona Policy पर बात की
203,138 views
•May 8, 2020


9.7K
719



The Lallantop


13.3M subscribers
 

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Aarogya Setu App में data protection और privacy को लेकर उठते सवाल | Elliot Alderson
67,324 views
•May 7, 2020


2.9K
141



The Lallantop


13.3M subscribers


SUBSCRIBE
In this show, Saurabh Dwivedi discusses privacy and security issues in Aarogya Setu App which have been opposition parties supported a France based ethical hacker.
 

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Updated on : Friday, May 8, 2020, 3:59 PM IST
Hacker Elliot Alderson ready to bet a beer if someone proves to him that Aarogya Setu isn't a surveillance app
By
FPJ Web Desk

Hacker Elliot Alderson ready to bet a beer if someone proves to him that Aarogya Setu isn't a surveillance app


Hacker Elliot Alderson ready to bet a beer if someone proves to him that Aarogya Setu isn't a surveillance app


In a series of tweets, a French Android applications developer and cyber security expert, using the moniker Elliot Alderson, raised concerns about Modi government's Aarogya Setu app.
Alderson concluded his 'findings' on the coronavirus tracker app in an article which he titled 'Aarogya Setu: The Story of a failure'.
His 'findings' revealed how any potential hacker can access a lot of information about:
#Number of infected people
#Number of unwell people
#Number of people declared as bluetooth positive
#Number of self assessment made around the hacker's area
#Number of people using the app around the hacker's area


'The story of a failure': French hacker finally publishes article on 'issues' in Modi govt's Aarogya Setu app


"Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me," he wrote.
Earlier today, the ethical hacker once again took to Twitter calling the app a surveillance system and with his tweets it seems that he is ready to bet a beer if someone proves to him otherwise.
In a series of tweets he wrote: "A mobile application that send your GPS coordinates regularly to a server owned by a government is a surveillance system."


Elliot [email protected]

· 13h
A mobile application that send your GPS coordinates regurlaly to a server owned by a government is a surveillance system.#AarogyaSetu is a surveillance system

Elliot [email protected]


Do you have to worry?

When a government is forcing people to install an app, it's probably the good moment to be worry
1,936
2:16 PM - May 8, 2020
Twitter Ads info and privacy
447 people are talking about this




Elliot [email protected]

· 12h
Replying to @fs0c131y
"We need it to fight #Covid19"

No, you need:
- tests to identify infected people
- masks
- gloves
- contact tracers
- respect social distancing
- isolate infected people

An app alone will not break the contamination chain.

Elliot [email protected]


"It's ok, my government told me that this is temporary, they will delete my data and I will be able to uninstall their contact tracing app"

You are dreaming my friend. All these surveillance systems are here to stay. I am ready to bet a beer if you want
1,743
2:29 PM - May 8, 2020
Twitter Ads info and privacy
389 people are talking about this




Elliot [email protected]

· 12h
Replying to @fs0c131y
"Without a contact tracing app, it's impossible to defeat Covid19"

This is not true. This is not the first pandemic and contact tracing without an app is made for decades.

Elliot [email protected]


"Can they still track me if I uninstall the app?"

Of course no, at least not with the app because the app is no more on your phone
1,100
2:40 PM - May 8, 2020
Twitter Ads info and privacy
223 people are talking about this




Elliot [email protected]

· 12h
Replying to @fs0c131y
"I trust my government, I will install the app anyway"

I respect that, it's a free country do what you want but be aware that you are giving your privacy in exchange of some "hypothetic" protection

Elliot [email protected]


"I'm already giving my data to Facebook, Twitter and Tinder, it doesn't matter if I give my data to my government"

It's not because you have very bad habits in term of privacy that you have to continue. You are the one in charge. Only you can improve that
1,107
2:51 PM - May 8, 2020
Twitter Ads info and privacy
227 people are talking about this




Elliot [email protected]

· 12h
Replying to @fs0c131y
"We are in 21st century, we have the technology, tracking people phones it will ends #Covid19 for sure"

Just look at China. You don't even imagine how China is monitoring his population. And they were unable to avoid the propagation of the virus.

Elliot [email protected]


"Privacy is for the richs"

No, privacy is a fundamental right. Everyone deserves it
1,388
3:03 PM - May 8, 2020
Twitter Ads info and privacy
303 people are talking about this




Elliot [email protected]

· 12h
Replying to @fs0c131y
"My 20 years old security bro told me you are a fraud and the issues you found are not a real issues"

The 2 issues I found can probably be classified as medium. Aarogya Setu developers are not agree with your security bro because they fixed the issues.

Elliot [email protected]


"The government said the app is unhackable"

Nothing is unhackable. With enough motivation and skill, everything can be hacked.
1,454
3:14 PM - May 8, 2020
Twitter Ads info and privacy
298 people are talking about this




Elliot [email protected]

· 11h
Replying to @fs0c131y
"Some people don't have enough food or electricity, in India we don't care about privacy"

Some people care and again everyone deserves privacy. Let's give them access to basic needs and respect their privacy at the same time. It's not incompatible

Elliot [email protected]


"You are just an attention seeker, you just want more followers"

You have no idea how painful is it to have a big twitter account. You received thousands of messages, comments, insults. I don't earn money with it. Sometimes, it's very cool but there are a lot of drawbacks
1,045
3:35 PM - May 8, 2020
Twitter Ads info and privacy
141 people are talking about this




Elliot [email protected]

· 11h
Replying to @fs0c131y
"Why are losing your time on Twitter?"

The impact. Together we made incredible things. Every opportunity to raise privacy awareness should be taken. Especially when a lot of media scrutinize your tweets


Elliot [email protected]


"This is not how security pros are doing responsible disclosure"

This is a hot debate, there is no ideal way to disclose an issue. This way is probably not ideal but it's efficient. My general rule for that is: you found a bug, you are the owner of it, do wtf you want with it
838
3:44 PM - May 8, 2020
Twitter Ads info and privacy

139 people are talking about this



These events come after Rahul Gandhi's concerns about the app. Following Gandhi's statement, the ethical hacker felt obliged to check into the Modi government app himself and revealed the aforementioned 'findings'.
The Aarogya Setu app is available in 11 languages on both Android as well as iOS devices. It has been downloaded by 90 million people so far



Hacker Elliot Alderson ready to bet a beer if someone proves to him that Aarogya Setu isn't a surveillance app
 
Last edited:

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Updated on : Wednesday, May 6, 2020, 9:56 PM IST
'The story of a failure': French hacker finally publishes article on 'issues' in Modi govt's Aarogya Setu app
By
Husain Rizvi


Aarogya Setu


Aarogya Setu

In a series of tweets, a French Android applications developer and cyber security expert, using the moniker Elliot Alderson, raised concerns about Modi government's Aarogya Setu app.
Alderson concluded his 'findings' on the coronavirus tracker app in an article which he titled 'Aarogya Setu: The Story of a failure'.
"I wrote an article to describe the issues I reported to the @SetuAarogya. I hope it will allow people to understand the situation and why it's an important issue. I hope you like it, all feedbacks are welcome," Alderson tweeted with a link to his article.

3,603 people are talking about this



Explaining the reasons for writing the article, he said: "I took the time to write this article for two reasons: - I want to be transparent. You have all the info, even the technical info - Sharing is caring. Maybe it will give ideas to other bug bounty hunters and security lovers in general."


Elliot [email protected]


I took the time to write this article for two reasons:
- I want to be transparent. You have all the info, even the technical info
- Sharing is caring. Maybe it will give ideas to other bug bounty hunters and security lovers in general
1,448
9:18 PM - May 6, 2020
Twitter Ads info and privacy
247 people are talking about this



Alderson begins his article by describing the situation of people in Noida. If people do not have this app installed on their phones, they can be imprisoned up to six months or fined up to Rs 1000.
He went on to explain that with no host validation, any potential attacker can access internal files of the app causing a potential breach in the privacy of a user.
According to Alderson, the app developers 'silently' fixed the aforementioned issue.
But the ethical hacker continued his analysis on a rooted device -- a device which is jailbroken -- but could not use the application due to security reasons.
He bypassed the root detection features by simply writing some codes and once he could access the app, he discovered the ability of the users to know how many people have self-assessed themselves in their area.
The radius of the area can be selected between 500m, 1km, 2kms, 5kms or 10kms.
With that said, Alderson concluded his 'findings' by revealing how any potential hacker can access a lot of information about:
#Number of infected people
#Number of unwell people
#Number of people declared as bluetooth positive
#Number of self assessment made around the hacker's area
#Number of people using the app around the hacker's area
"Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighbour is sick for example. Sounds like a privacy issue for me," he wrote.
He went on to reveal the number of infected people in some areas. Check it out below:

'The story of a failure': French hacker finally publishes article on 'issues' in Modi govt's Aarogya Setu app



In the conclusion of his article, Alderson said: "As you saw in the article, it was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that."
"They even admit that the default value is now 1km, so they did a change in production after my report. The funny thing is they also admit an user can get the data for multiple locations.
"Thanks to triangulation, an attacker can get with a meter precision the health status of someone.

ALSO READ
French hacker raises questions about Modi govt's Aarogya Setu - what exactly is triangulation?
French hacker raises questions about Modi govt's Aarogya Setu - what exactly is triangulation?


"Bulk calls are possible my man. I spent my day calling this endpoint and you know it too.
"I’m happy they quickly answered to my report and fixed some of the issues but seriously: stop lying, stop denying."
The Aarogya Setu app is available in 11 languages on both Android as well as iOS devices. It has been downloaded by 90 million people so far.



'The story of a failure': French hacker finally publishes article on 'issues' in Modi govt's Aarogya Setu app
 
Last edited:

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Aarogya Setu: The story of a failure

Elliot Alderson
Elliot Alderson

Follow
May 6 · 5 min read






In order to fight Covid19, the Indian government released a mobile contact tracing application called Aarogya Setu. This application is available on the PlayStore and 90 million Indians already installed it.
Aarogya Setu - Apps on Google Play
Aarogya Setu is a mobile application developed by the Government of India to connect essential health services with the…
play.google.com

This application is currently getting a lot of attention in India. In Noida, if people doesn’t have the app installed on their phone, a person can be imprisoned up to 6 months or fined up to Rs 1000.
No Aarogya Setu app? Pay Rs 1,000 fine or face 6 months jail in Noida
"If people download it instantly, we will let them go. We are doing this so that people take the order seriously and…
indianexpress.com

Access to app internal files
On April 3, 2 days after the launch of the app, I decided to give a look to the version 1.0.1 of the application. It was 11:54 pm and I spent less than 2 hours looking at it.

At 1:27 am, I found that an activity called WebViewActivity, was behaving weirdly. This activity is a webview and is, in theory, responsible of showing web page like the privacy policy for example.

1588975921092.png


AndroidManifest.xml in Aarogya Setu v1.0.1
The issue is that WebViewActivity was capable of doing a little bit more than that.
1588975961838.png




WebViewActivity in Aarogya Setu v1.0.1
As you can see, the onPageStarted method checked the value of the str parameter. If str:
- is tel://[phone number]: it will ask Android to open the dialer and pre-dial the number
- doesn’t contain http or https, it does nothing
- else it is opening a webview with the specified URI.
As you can see there is no host validation at all. So, I tried to open an internal file of the application called FightCorona_prefs.xml by sending the following command

1588976031206.png




As you can see in the following video, it worked fine!

Why it’s a problem? With only 1-click an attacker can open any app internal file, included the local database used by the app called fight-covid-db


Ability to know who is sick anywhere in India
On May 4, I decided to push my analyse a little bit further and I analysed the version v1.1.1 of the app which is the current version.
The first thing I noticed is the issue described previously had been fixed silently by the developpers. Indeed, the WebViewActivity is no more accessible from the outside, they removed the intent filters in the AndroidManifest.xml.

1588976017544.png




AndroidManifest.xml in Aarogya Setu v1.1.1
To continue my analysis, I decided to use the app on a rooted device. When I tried, I directly received this message.





1588976062610.png


I decompiled the app and found where this root detection was implemented. In order to bypass it, I wrote a small function in my Frida script.

1588976119221.png










The next challenge was to be able to bypass the certificate pinning implemented in order to be able to monitor the network requests made by the app. Once I done that, I used the app and found an interesting feature










1588976147614.png





In the app, you have the ability to know how many people did a self assessment in your area. You can choose the radius of the area. It can be 500m, 1km, 2kms, 5kms or 10kms.
When the user is clicking on one of the distance:
- his location is sent: see the lat and lon parameters in the header
- the radius choosen is sent: see the dist parameter in the url and the distance parameter in the header


1588976204756.png



The first thing I noticed is that this endpoint returns a lot of info:
- Number of infected people
- Number of unwell people
- Number of people declared as bluetooth positive
- Number of self assesment made around you
- Number of people using the app around you
Because I’m stupid, the 1st thing I tried was to modify the location to see if I was able to get information anywhere in India. The 2nd thing was to modify the radius to 100kms to see if I was able to get info with a radius which is not available in the app. As you can see in the previous screenshot, I set my location to Mumbai and set the radius to 100kms and it worked!
What are the consequences?
Thanks to this endpoint an attacker can know who is infected anywhere in India, in the area of his choice. I can know if my neighboor is sick for example. Sounds like a privacy issue for me…
So I decided to play with it a little bit and checked who was infected in some specific places with a radius of 500 meters:
- PMO office: {“infected”:0,”unwell”:5,”bluetoothPositive”:4,”success”:true,”selfAsses”:215,”usersNearBy”:1936}
- Ministry of Defense: {“infected”:0,”unwell”:5,”bluetoothPositive”:11,”success”:true,”selfAsses”:123,”usersNearBy”:1375}
- Indian Parliament: {“infected”:1,”unwell”:2,”bluetoothPositive”:17,”success”:true,”selfAsses”:225,”usersNearBy”:2338}
- Indian Army Headquarters: {“infected”:0,”unwell”:2,”bluetoothPositive”:4,”success”:true,”selfAsses”:91,”usersNearBy”:1302}


Disclosure

49 minutes after my initial tweet, NIC and the Indian Cert contacted me. I sent them a small technical report.
Few hours after that they released an official statement.

To sum up they said “Nothing to see here, move on”.
My answer to them is:
- As you saw in the article, it was totally possible to use a different radius than the 5 hardcoded values, so clearly they are lying on this point and they know that. They even admit that the default value is now 1km, so they did a change in production after my report
- The funny thing is they also admit an user can get the data for multiple locations. Thanks to triangulation, an attacker can get with a meter precision the health status of someone.
- Bulk calls are possible my man. I spent my day calling this endpoint and you know it too.
I’m happy they quickly answered to my report and fixed some of the issues but seriously: stop lying, stop denying.
And don’t forget folks: Hack the planet!
https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40fs0c131y%2Faarogya-setu-the-story-of-a-failure-3a190a18e34&source=post_sidebar-----3a190a18e34---------------------clap_sidebar-
9.7K




https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40fs0c131y%2Faarogya-setu-the-story-of-a-failure-3a190a18e34&source=post_actions_footer-----3a190a18e34---------------------clap_footer-
9.7K claps


Elliot Alderson
WRITTEN BY
Elliot Alderson
Follow
French security researcher. Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others. Not completely schizophrenic. Not related to USANetwork.




Aarogya Setu: The story of a failure
 

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Noida residents start legal fight against mandatory use of Aarogya Setu in city

indiatoday.in

May 9, 2020 12:12 AM

As per the government order, anyone who has not downloaded the Aarogya Setu App could be jailed for 6 months. It is probably for the first time in the country that an entire district has been asked to download a mobile application or else they face legal action.



A group of residents in Noida and Greater Noida has submitted a letter before the police commissioner and district magistrate as part of their legal fight against the government order making the Aarogya Setu App mandatory.

In a unique order, the government authorities in Gautam Buddh Nagar have asked the residents to download the Aarogya Setu app on their smartphones. As per the order, it is mandatory to have the app on your when venturing outside. If anyone is caught without the app in a public place, she or she will be considered in violation of the coronavirus-forced lockdown and can face a fine of Rs 1,000 or six months of imprisonment.

Ritwick Shrivastava, a lawyer and resident of Greater Noida, is representing the delegation of the residents of Noida and Greater Noida. Ritwick has submitted a legal complaint before the police commissioner and district magistrate asking them to withdraw the order as its illegal.

"The Supreme Court in an order in 2017 gave a judgment that medical details of a person can be sought only with the consent and no one can be forced. When we use Arogya Setu, then it seeks medical details. That’s why the use of this app can be advised but making it mandatory is illegal," said Ritwick.

If the order is not withdrawn by the authorities, then the group of residents has decided to move the court. The residents are also being supported by Internet Freedom Foundation, a platform that looks into a range of issues including net neutrality, free expression, privacy and innovation.

Apar Gupta, a lawyer who is also fighting against the Noida authorities order said, "The government's contact tracing app Aarogya Setu literally means a path to health. But those who do not install it now risk being criminally prosecuted. This is through a direction issued by the Ministry of Home Affairs on which more than 45 organisations and 100 individuals have asked for an urgent review."

On the other hand, few societies have also made it mandatory to download the app else the people are not being allowed entry in the society.

Vishnu Priyadarshan, Secretary of Ashiana Orchid Society in Greater Noida, has informed all the 170 families of the society that if the residents do not download the app then their entry or exit will be barred. "We have instructed security guards to check everyone’s phone if someone is not using the app then they won’t be allowed."

While few found the app illegal and breach of privacy, others also claim that the Aarogya Setu app helps them stay alert about the nearby Covid-9 patients. Mukul, a resident of Noida uses the app and finds it very useful. "I think the app is good. I have downloaded and I get to know about people who are infected nearby. However, instead of six months of jail, they should only levy penalties on those who are not using it."

Many residents are also worried about their breach of data. The government claims that the app is safe but many still think that this app will share their private data.







 

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Intel agencies red-flag use of 52 mobile apps with links to China: Complete list

The National Security Council Secretariat has backed the recommendation to block or discourage use of 52 mobile apps

INDIA Updated: Jun 17, 2020 15:02 IST


Shishir Gupta

Shishir Gupta
Hindustan Times, New Delhi

Intelligence  agencies have asked the government to block or discourage use of 52 mobile apps


Intelligence agencies have asked the government to block or discourage use of 52 mobile apps(Sonu Mehta/HT PHOTO)

Indian intelligence agencies have asked the government to block or advise people to stop use of 52 mobile applications linked to China over concerns that these weren’t safe and ended up extracting a large amount of data outside India, people familiar with the development told Hindustan Times.
The list of applications sent by the security establishment to the government include video conferencing app Zoom, short-video app TikTok, and other utility and content apps such as UC browser, Xender, SHAREit and Clean-master.
A senior government official said the recommendation of the intelligence agencies had recently been supported by the National Security Council Secretariat, which felt these could be detrimental to India’s security.
“The discussions on the recommendations are continuing,” said an official, explaining that the parameters and the risks attached to each mobile app will have to be examined one by one.


ON THE RADAR OF INTELLIGENCE AGENCIES
  • TikTok, Vault-Hide, Vigo Video, Bigo Live, Weibo
  • WeChat, SHAREit, UC News, UC Browser
  • BeautyPlus, Xender, ClubFactory, Helo, LIKE
  • Kwai, ROMWE, SHEIN, NewsDog, Photo Wonder
  • APUS Browser, VivaVideo- QU Video Inc
  • Perfect Corp, CM Browser, Virus Cleaner (Hi Security Lab)
  • Mi Community, DU recorder, YouCam Makeup
  • Mi Store, 360 Security, DU Battery Saver, DU Browser
  • DU Cleaner, DU Privacy, Clean Master – Cheetah
  • CacheClear DU apps studio, Baidu Translate, Baidu Map
  • Wonder Camera, ES File Explorer, QQ International
  • QQ Launcher, QQ Security Centre, QQ Player, QQ Music
  • QQ Mail, QQ NewsFeed, WeSync, SelfieCity, Clash of Kings
  • Mail Master, Mi Video call-Xiaomi, Parallel Space



In April this year, the home ministry had issued an advisory on use of Zoom on the recommendation of the national cybersecurity agency – Computer Emergency Response Team of India (CERT-in). India wasn’t the first country to restrict use of Zoom within the government. Taiwan has banned government agencies from using Zoom, the German Foreign Ministry restricts its use of Zoom to emergency situations on personal computers while the United States Senate advises members to use other platforms. The company had responded to the home ministry advisory, insisting that it was serious about user security.
There have been calls for action against mobile apps that are perceived to be compromising security from time to time. And companies such as the hugely-popular video popular video-sharing app TikTok - owned and operated by Chinese internet company ByteDance - have issued denials.
But officials said there were inputs that many Android and IOS apps, either developed by Chinese developers or launched by companies with Chinese links, had the potential to be used as spyware or other malicious ware. There have been reports that security agencies had advised security personnel from using them in view of the “detrimental impact that this could have on data security.
Such concerns about backdoors in China-linked hardware or software have been frequently articulated by western security agencies too. One argument has been that China could use its access to degrade communications services in case of conflict.


Intel agencies red-flag use of 52 mobile apps with links to China: Complete list
 

adsatinder

Plz Help Himabuj (Amit Tyagi) in Corona Fighting
Full list of 59 Chinese apps banned by Indian govt
WeChat, Shein, Club Factory and Shareit are some of the apps that have been axed by the Government of India.
THE PRINT TEAM 29 June, 2020 9:36 pm IST
https://www.facebook.com/sharer.php?u=https%3A%2F%2Ftheprint.in%2Findia%2Ffull-list-of-59-chinese-apps-banned-by-indian-govt%2F451254%2F

Signage is displayed at the TikTok Creator's Lab 2019 event hosted by Bytedance Ltd. in Tokyo. | Photographer: Shiho Fukada | Bloomberg


Signage is displayed at the TikTok Creator's Lab 2019 event hosted by Bytedance Ltd. in Tokyo. | represenational image | Photographer: Shiho Fukada | Bloomberg

New Delhi: Terming some Chinese apps prejudicial to India’s sovereignty, integrity and national security, the government Tuesday decided to ban 59 of them including Tik Tok and WeChat, amid demand to boycott Chinese products in the country.
Here is the complete list:

1593633313042.png









Full list of 59 Chinese apps banned by Indian govt
 
Top