The response is json and if the "p" key value is 1 then the app responds by silently uploading all of the stored bluetooth/location data to the server. This occurs without notifying the user or asking for their consent. We have confirmed that this functionality is operational and uploads do indeed take place. The relevant code is in the checkStatus() function within file CorUtility.kt. We recommend that this functionality be disabled as a matter of urgency - silent uploads of sensitive data are wholly inappropriate.
Upon launch the app makes a request to:
fp.swaraksha.gov.in/api/v1/users/status
The response is json and if the "p" key value is 1 then the app responds by silently uploading all of the stored bluetooth/location data to the server. This occurs without notifying the user or asking for their consent. We have confirmed that this functionality is operational and uploads do indeed take place. The relevant code is in the checkStatus() function within file CorUtility.kt. We recommend that this functionality be disabled as a matter of urgency - silent uploads of sensitive data are wholly inappropriate.