SNEHIT - stock.adobe.com

How Aarogya Setu is addressing scale and security challenges

India’s contact-tracing platform leverages microservices, encryption techniques and cloud-based visibility tools to address scale and security requirements

In the early days of the Covid-19 pandemic, online travel booking platform Goibibo’s co-founder Vikalp Sahni and some developers banded together to explore the possibility of building an app to support India’s contact-tracing efforts.

At the time, the Indian government was planning to do the same and roped in Sahni’s team to build what has now become Aarogya Setu, one of the most downloaded apps in the world.

Like other contact-tracing apps, Aarogya Setu uses Bluetooth to securely exchange a digital signature of close contacts between two smartphone users, including time, proximity, location and duration.

The data is stored on the user’s device and should the user come into close contact with another user who tested positive for Covid-19 in the past two weeks, the app will calculate the risk of infection and notify affected users.

Today, the app is being used by 10% of India’s population with some 140 million downloads. In May 2020, the Indian government open-sourced the app’s source codes to alleviate public concerns about privacy and security.

Privacy and security, however, was always a priority for Sahni and his team of volunteer developers when they were building the technology platform for the app, which leverages cloud services from Amazon Web Services and is hosted on government datacentres across India.

Sahni, who recently left Goibibo to start a new health technology company, said the team had developed a private architecture for the app, which only pushes out data if there is a case of infection. All data at rest and in motion is also encrypted in accordance with best practices, he told Computer Weekly.

Security safeguards

The security safeguards were crucial as the team had expected the platform to be targeted by threat actors that were eyeing its data. True enough, the platform’s firewalls and security policies had blocked traffic from between 20,000 and 25,000 IP addresses and identities, Sahni said.

There were also distributed denial-of-service (DDoS) attacks, as well as targeted attacks by some renowned hackers, but Sahni said nothing came out of those attempts.

Read more about IT in India

Besides fending off cyber threats, the development team had to ensure the platform could scale with the rapid growth in the number of users. Within 13 days since Aarogya Setu was made available, the app recorded 50 million downloads, surpassing a previous record set by Pokemon Go.

Sahni said to build the most scalable platform possible, the team developed microservices, built data pipelines and leveraged NoSQL databases, so that data can be distributed quickly and scale well. At one point, the contact-tracing app recorded seven million server requests in just one minute.

As an early adopter of New Relic, a cloud-based application to help developers track the performances of their services, Sahni looked to the vendor to understand the scale issues that Aarogya Setu could face.

At the time, the Indian government had also joined New Relic’s Covid-19 relief programme, which provides 90 days of full-stack observability, with support that has since been extended for an additional three months for Aarogya Setu.

Knowing that the team needed to be well prepared for a huge wave of demand, the government felt that visibility into the technology and user experience was essential as the app became widely adopted. “With a roll-out at this size and scale, not having effective monitoring and visibility would have meant that we wouldn’t have been able to live up to the expectations of our citizens,” a government official said.

“Technology roll-outs will tend to fail at one point or another, but the most important thing is how quickly businesses can bounce back from these failures. New Relic allowed us to identify gaps of where we could have done better and ensured that any issues that occurred were addressed quickly,” she added.

For example, there was once when the team encountered a longer than usual response time, which was eventually traced to the way a database was configured. Sahni said these issues would have been hard to resolve without the use of New Relic.

Read more on Endpoint security