Since there isn't any method called to check whether mock location is enabled or not, hackers/miscreants can use any mock location app to hide their real location and report infection from this fake location. Since the program does not have any checks for Temporary phone numbers , A user could register/login using a temporary phone number hide his location and report a fake covid infection case. adding this simple permission check will prevent this

public static boolean isMockSettingsON(Context context) { // returns true if mock location enabled, false if not enabled. if (Settings.Secure.getString(context.getContentResolver(), Settings.Secure.ALLOW_MOCK_LOCATION).equals("0")) return false; else return true; }

The app doesn't show any warning or ask for any password if the user connects it with the PC through USB, as there would be the chance of decompiling the app via ADB shell and hacker can apply reversing techniques to alter the various personal credentials which would result in privacy threat or any other crucial threat.

Hello,

i am able to view the data on here https://fp.swaraksha.gov.in/api/v1/app/config/ It says this error when opening this link on browser

Unauthorized The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.

I just used my proxy intercept tool to check this and it showed me the data in response code.

Below are the request and response...

Request :-

GET /api/v1/app/config/ HTTP/1.1 pt: 9cf23ec2-d83c-4778-aca5-d7fb64ae1b2d ver: 1047 ver-name: 1.1.3 os: 23 device-type: samsung-SAMSUNG-SM-N910A Content-Type: application/json pt: 9cf23ec2-d83c-4778-aca5-d7fb64ae1b2d ver: 1047 Host: fp.swaraksha.gov.in Connection: close Accept-Encoding: gzip, deflate User-Agent: okhttp/3.14.7

Response :-

HTTP/1.1 200 OK Date: Fri, 30 May 2020 19:22:03 GMT Content-Type: application/json Connection: close Server: nginx Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: Authorization, pt, ver, content-type Content-Length: 203

{"f_upgrade_android":{"min_version":1041,"specific_version":[0]},"is_force_upgrade_required_ios":{"min_version":"0.0","specific_version":["1.5"]},"max_count_read_write":10,"max_data_persisting_days":30}

The gradle build of the project looks for a keystore.properties file, which is missing from the checked in codebase.

def keystorePropertiesFile = rootProject.file("keystore.properties")
def keystoreProperties = new Properties()
keystoreProperties.load(new FileInputStream(keystorePropertiesFile))

While the details are mentioned in the readme, please checkin a default file as is which needs to be configured by the developers running the build.

Full name field does not contain any special character like €,*,%,# etc..

Use regex and also Add toast message if user try to add special char in full name field.

Hi There,

I think, people are not giving the correct info while logging in. I advice to scan Aadhaar card and this info will always be correct. Or else, some how the registered mobile no should get info from Aadhaar server(using an API).

One more idea can be here is that our testing kits should have hardware inbuilt and we may buy them from medical shops to test. This kit should only be activated only by app by scanning Aadhaar card. So if someone tests +ve then we have the correct info and officials can track them easily.

-Thanks

Scenario:- App crashed:- When clicks on back button after clearing chat

Steps to reproduce:-

1. Click on "Access Again" in hompage
2. Provide the information in chat accordingly
3. Clear chat clicking on FAB button
4. Click on tooltip and close the tooltip
5. Click on Back button in mobile will close the app
6. Then open the app again

Actual:- App crashed

Instead of developing the App for two Platforms with two different codebases, you can have got in one codebase if you have used a framework like flutter. That would be much easier for developers to find a bug and that will be rectified with ease.

Hi, there is no rate limit of otp attempts on login page which enables to brute force the 6 digit and takeover the account. Please add rate limit after 3-4 attempts.

I have been trying to do it for so long but no success. I will close this issue once someone helps me, so please dont comment "No questions in issue"

Almost all modern smartphones have an Accelerometer in them while the phone is set to idle for more than say 10min,

1. let the Aarogya Setu app daemon go into sleep, to conserver battery power.
2. But, the daemon only wakes up if it detects any rapid change from the accelerometer or GPS
3. And then starts doing its business.

I want to find out if there is a way to delete an account (Name) tied to a number and recreate a different account with the same number.

I have initially created an account with Name ABC for my number 1234567890. Now I want to delete ABC and create XYZ for that number. I tried deleting the account title from the settings option, but it looks like it isn't deleting the details. When I log in again, it fetches the old information and displays it.

This is very important as I need to update the account details as my aadhar card is tied to this number, and now I cannot use the aarogya setu app as it shows some others' details.

It looks like it is just deleting on the front end and not doing it on the backend. Not sure, though. I came to this conclusion because when I click on the delete button, it immediately navigates to the registration flow within a fraction of a second.

So my parents are vaccinated with 2 doses of Pfizer which was in USA. Now after 6months visit they are back and the app is asking them to choose amongst: Covishield, Covaxin or Do not know. Instead, it can offer a "Other vaccine" option and subsequently ask the user to type the vaccine name or provide the list of most common vaccines outside of India.

If a user is registered as a beneficiary from another mobile number, and then if they try to use the same document validation to check details in their app, wrong details are being displayed.

For example, my friend adds me as a beneficiary using my Aadhar card details. Now if I try to add myself as a beneficiary in my phone, I can't use my Aadhar Card details on my phone. It shows me wrong details for that, which can lead to confusion.

Before filling

After tapping on the respective phone number

• The problem is it not taking the last three characters of the mobile numbers can you pls assign me this task for correction.