As countries around the world rush to build smartphone apps that can help track the spread of Covid-19, privacy advocates have cautioned that those systems could, if implemented badly, result in a dangerous mix of health data and digital surveillance. India’s new contact-tracing app may serve as a lesson in those privacy pitfalls: Security researchers say it could reveal the location of Covid-19 patients not only to government authorities, but to any hacker clever enough to exploit its flaws.

Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter-radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.

“The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area,” says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. “With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.”

Security researchers like Robert have focused their attention on Aarogya Setu in part due to its sheer scale. The Indian government has declared the contact-tracing app mandatory for many workers and it’s already been downloaded more than 90 million times according to government officials.

Read all of our coronavirus coverage here.

Unlike many of the apps rolling out across Europe now and soon in the United States, Aarogya Setu traces potentially infected people’s movements via GPS rather than Bluetooth data alone. It may represent a cautionary tale about how flawed implementations of contact-tracing apps—particularly those that rely on location data—can lead to serious leaks of sensitive medical information.

“I expect many of the contact-tracing apps to have these types of issues, and I think particularly the ones that rely on GPS are going to be more privacy invasive,” says Ashkan Soltani, a former Federal Trade Commission lead technologist who reviewed Robert’s findings and analyzed other contact-tracing apps. “When you tie it to something like health status, it’s not surprising that these types of inferences can be made.”

Robert first recognized Aarogya Setu’s privacy problem when he analyzed a feature that checks for reports of infected people within a certain radius. He found that by mimicking those requests from his laptop, he could simply spoof his location, altering the queries to ask for the number of infected people in a 500m radius around any latitude and longitude.

That GPS spoofing possibility is troubling enough on its own. If someone lives in a remote area, they could easily be identified as Covid-19 positive. But Robert suggests that the bug could also be used to carry out a technique known as triangulation or trilateration, finding the reported Covid-19 status of someone in a far more targeted location.

If a hacker suspects that someone has Covid-19, they could check a series of overlapping 500m circular areas around their target, carefully placing the centers of those circles so that they don’t cover their target’s home, but so that the edges of the circles create a boundary around it. If each of those 500m-radius areas contains zero infected people, the hacker would then draw new circle, this time positioning its center over the person’s home. If the count of sick people goes up by one, the hacker can deduce that an infected person is in that narrowly defined location. “If I want to know if the people in a house are sick, I can draw a boundary around it and the application will give me the result,” Robert says.