The government initially promised to open source Aarogya Setu's iOS version within two weeks of its release in May for Android.
Aarogya Setu is an Indian open-source software service CoVID-19 "Text tracking, syndromic mapping and self-assessment," mainly a smartphone device established under the Ministry of Electronics and Information Technology by the National Informatics Centre. In 40 days, the android version of the application has reached over 100 million downloads.
Aarogya Setu iOS application was released about two and a half months after the Android version of NITI Aayog open was sourced. OpenForge, the Government's counterpart to GitHub, provided the source code. But the source code for the Android version of the Aarogya Setu app is available from GitHub. The Aarogya Setu iOS version repository doesn't have access to its server-side application.It is similar to the touch tracing app Android application where the server-side code is not open to the public either.
The team behind the Aarogya Setu app revealed the iOS source code would be published in a tweet posted Thursday. The code is accessible via OpenForge. This contains the files that allow the user interface on iOS, but there is no clarity about the server-side code of the app that lets users understand the app's operations.
The government's original open source for the Aarogya Setu app's Android version was in May. Around the point, NITI Aayog vowed to release iOS version of the app's source code within the next two weeks. During the rollout, the National Informatics Center (NIC) also launched a bug bounty scheme to enable users to find vulnerabilities in the software.
Aarogya Setu iOS application
This open-sourcing of iOS version of Aarogya Setu comes only after ShadowMap, a vulnerability analysis company, reportedly discovered the log-in credentials the developers use. The company's blog post was deleted soon after it came into the social media limelight. But at the time of filing this article, the cached version was still available.
"We found that one of the Aarogya Setu repositories had been changed recently, and one of its developers inadvertently published their Git archive in the public webroot, along with the user name and password information for the official Aarogya Setu GitHub account, "the blog post stated. It was not the first security problem with the Aarogya Setu app, as technology analysts raised questions about privacy and advised the government to open source code after its April debut.