India’s contact-tracing app is going open-source

India said it will publicly release the source code of its contact-tracing app, Aarogya Setu, to the relief of privacy and security experts who have been advocating for this ever since the app launched in early April.

Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney made the announcement on Tuesday, dubbing the move “opening the heart” of the Aarogya Setu app to allow engineers to inspect and tinker with the code. The app has amassed over 114 million users in less than two months  — an unprecedented scale globally.

The source code of Aarogya Setu’s Android app will be published on GitHub at midnight Tuesday (local time), and code of iOS and KaiOS apps would be released in a “few weeks.” Nearly 98% of the app’s users are on the Android platform. Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities

Several privacy and security advocates, as well as India’s opposition party, had urged the government to release the code of the app for public auditing after some alleged lapses in the app were found — which New Delhi dismissed as app features at the time.

Sawhney said today’s move should allay people’s concerns with the app. Earlier this month, Sawhney said the government was not open-sourcing Aarogya Setu, as it worried that it would overburden the team, mostly comprising volunteers, that is tasked to develop and maintain it.

The ministry said today that two-thirds of Aarogya Setu users had taken the self-assessment test to evaluate their risk of exposure. More than half a million Indians have been alerted to have made contact with someone who is likely ill with the disease, it said.

The app, which uses both Bluetooth and location data to function, has advised more than 900,000 users to quarantine themselves or get tested for the disease. Almost 24% of them have confirmed to be positive with COVID-19, the ministry said.

“Opening the source code to the developer community signifies our continuing commitment to the principles of transparency and collaboration,” the Ministry of Electronics and Information Technology said in a statement. “Aarogya Setu’s development has been a remarkable example of collaboration between government, industry, academia and citizens.”

Aarogya Setu, unlike the contact-tracing technology developed by smartphone vendors Apple and Google, stores certain data in a centralized server. Privacy experts, including researcher Baptiste Robert, had argued that this approach would result in leakage of sensitive details of several Indians if that server was ever compromised.

“Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale,” said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.

New Delhi-based digital advocacy group Software Law and Freedom Centre (SFLC) said it welcomes India’s move to open- source the app. “We are happy that the government has at last agreed to do what we have been asking all long,” it said.

More than 145,300 coronavirus infections (with about 4,100 resultant deaths) have been reported in India to date.

Sony’s ZV-1 compact camera zooms in on vloggers

Sony has taken aim at the suddenly enormous market of people who want to self-produce high-quality video with a minimum of setup. Its ZV-1 mutates the versatile RX100 series into a selfie video machine, and it could be the all-in-one solution many a vlogger has been searching for.

The new camera is very much based on the highly successful and acclaimed RX100, which over the years has grown in both price and capabilities but remains something the user is behind, rather than in front of. The ZV-1 rethinks the camera for people who need to work the other way round.

The 1″, 20-megapixel sensor and 24-70mm equivalent, F/1.8-2.8 lens are borrowed from the RX100, meaning image quality should be excellent (though vloggers may want a wider angle lens). But the camera has been customized with an eye to selfie-style operation.

That means the electronic viewfinder is gone, but there’s now a fully articulating touchscreen display. A powerful new microphone array takes up a large portion of the camera’s top plate, and the ZV-1 comes with a wind baffle or deadcat that attaches to the top hot shoe, giving the camera a flamboyant look.

Image Credits: Sony

A huge new dedicated record button is placed for perfect operation by a left hand holding the camera from the front, and the zoom dial should be thumbable from there as well. A new “background defocus mode” uses the widest possible aperture, naturally narrowing the depth of field with no need for all the AI rigmarole found on smartphones — and it’s smart enough to switch focus to the product a vlogger is being paid to promote when they hold it up close.

All told this could be a convincing works-out-of-the-box solution for people who may be juggling a panoply of hardware from multiple generations to get the same thing done. The proven RX100 image quality and reliability combined with ergonomic tweaks to make it more selfie-friendly might entice people thinking of putting together more complex setups.

At $800, or $750 if you order in the next month, it’s certainly more expensive than an entry-level setup but probably cheaper (and definitely easier) than getting a mirrorless, lens, mic, and other accessories you might need to match it.

A new Android bug, Strandhogg 2.0, lets malware pose as real apps and steal user data

Security researchers have found a major vulnerability in almost every version of Android, which lets malware imitate legitimate apps to steal app passwords and other sensitive data.

The vulnerability, dubbed Strandhogg 2.0 (named after the Norse term for a hostile takeover) affects all devices running Android 9.0 and earlier. It’s the “evil twin” to an earlier bug of the same name, according to Norwegian security firm Promon, which discovered both vulnerabilities six months apart. Strandhogg 2.0 works by tricking a victim into thinking they’re entering their passwords on a legitimate app while instead interacting with a malicious overlay. Strandhogg 2.0 can also hijack other app permissions to siphon off sensitive user data, like contacts, photos, and track a victim’s real-time location.

The bug is said to be more dangerous than its predecessor because it’s “nearly undetectable,” Tom Lysemose Hansen, founder and chief technology officer at Promon, told TechCrunch.

The good news is that Promon said it has no evidence that hackers have used the bug in active hacking campaigns. The caveat is that there are “no good ways” to detect an attack. Fearing the bug could still be abused by hackers, Promon delayed releasing details of the bug until Google could fix the “critical”-rated vulnerability.

A spokesperson for Google told TechCrunch that the company also saw no evidence of active exploitation. “We appreciate the work of the researchers, and have released a fix for the issue they identified.” The spokesperson said Google Play Protect, an app screening service built-in to Android devices, blocks apps that exploit the Strandhogg 2.0 vulnerability.

Standhogg 2.0 works by abusing Android’s multitasking system, which keeps tabs on every recently opened app so that the user can quickly switch back and forth. A victim would have to download a malicious app — disguised as a normal app — that can exploit the Strandhogg 2.0 vulnerability. Once installed and when a victim opens a legitimate app, the malicious app quickly hijacks the app and injects malicious content in its place, such as a fake login window.

When a victim enters their password on the fake overlay, their passwords are siphoned off to the hacker’s servers. The real app then appears as though the login was real.

Strandhogg 2.0 doesn’t need any Android permissions to run, but it can also hijack the permissions of other apps that have access to a victim’s contacts, photos, and messages by triggering a permissions request.

“If the permission is granted, then the malware now has this dangerous permission,” said Hansen.

Once that permission is granted, the malicious app can upload data from a user’s phone. The malware can upload entire text message conversations, said Hansen, allowing the hackers to defeat two-factor authentication protections.

The risk to users is likely low, but not zero. Promon said updating Android devices with the latest security updates — out now — will fix the vulnerability. Users are advised to update their Android devices as soon as possible.