Yet another #DigitalIndia #FAIL

The idiots at @DigiYatraOffice didn't realise their package name didn't match their org/domain.

in.dataevolve.digiyatra /


ie. "Official" DigiYatra app was no different from malicious apps pretending to be them. play.google.com/store/apps/det…

@DigiYatraOffice Google doesn't allow you to change your package name.

So they have no choice but to force everyone to install their "new" app to lend their app some semblance of credibility.

/

More like #WeFuckedUp

org.digiyatra.org
play.google.com/store/apps/det…

@DigiYatraOffice And this gets even better...

What is this "Dataevolve" company that built and likely was controlling the "official" @DigiYatraOffice app all these years?

It's an OPC Pvt Ltd aka "One Person Company" not very different from a Sole Proprietorship concern.

@DigiYatraOffice @dir_ed This is the kind of unethical scum @DigiYatraOffice hired to build the #DigiYatra app and handle the personal data of millions of air passengers.

On what basis did @DigiYatraOffice hire these criminals?

What is the guarantee they haven't siphoned away everyone's personal data?

@DigiYatraOffice @dir_ed All these complaints on Twitter that the old #DigiYatra app stopped working got me thinking that this is more than a package name change from in-dot-dataevolve-dot-digiyatra to org-dot-digiyatra-dot-org

If it was just package name change both apps would have continued to work.

@DigiYatraOffice @dir_ed So I pulled down old APKs for both the old and new apps.

in.dataevolve.digiyatra v3.40 released on Feb 20, 2024.

and

v4.1 released on Apr 1, 2024.

(Yes the idiots bungled up their 4.0 release and released 4.1 the same day but that's a different story) org.digiyatra.org

@DigiYatraOffice @dir_ed The old app was communicating with the API endpoint at /


The new app communicates with .

IOW all past versions of #DigiYatra app were sending passenger data to Dataevolve's AWS servers.

#Privacy #FAIL api-ssi.dataevolve.in
….execute-api.ap-south-1.amazonaws.com
api-prod.digiyatrafoundation.org

@DigiYatraOffice @dir_ed Hey @DigiYatraOffice @MoCA_GoI @JM_Scindia

Why does #DigiYatra app have references to AWS GovCloud? (US Govt Cloud.) and subdomains( US Govt domain)?

If you aren't communicating with US Govt/ US Govt. entities why leave these references in your app? sgov.gov

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Who is Ramku? o_0

And why are parts of his Windows Downloads folder being shipped with the #DigiYatra Android app?

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Looks like #DigiYatra app is also hotlinking artwork from some free image site.



Hey @freepik do your terms allow customers to hotlink images hosted by you from their apps/websites? img.freepik.com/free-vector/pa…

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia The latest #DigiYatra app(v4.1) has removed all references to


But they still have a reference to

How long before they push out version 4.2 with this URL removed/replaced? api-ssi.dataevolve.in
verifier.dataevolve.in

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia This is how Dataevolve Solutions OPC got the AP Govt e-challan contract.

Dataevolve won the tender by bidding ***ONE RUPEE*** while the firm that handled it initially bid Rs.1.97 crores per year.

How much did @DigiYatraOffice pay them?

timesofindia.indiatimes.com/city/vijayawad…

@DigiYatraOffice @dir_ed @MoCA_GoI @JM_Scindia Avinash Komirreddy the "One Person" behind Dataevolve Solutions OPC that built and operated #Digiyatra app until last week was arrested by Guntur Police in Nov 2022 and assets worth Rs. 13crs were seized.

No news outlet highlighted link to #Digiyatra app

timesofindia.indiatimes.com/city/vijayawad…

@MoCA_GoI @JM_Scindia @DigiYatraOffice According to this 02 FEB 2023 @MoCA_GoI @PIB_India press release quoting written reply in Lok Sabha, it doesn't look like any tender process was followed in "selecting" Dataevolve Solutions OPC Pvt Ltd to build and operate "Digi Yatra Central Ecosystem."

pib.gov.in/PressReleasePa…

@MoCA_GoI @JM_Scindia @DigiYatraOffice @PIB_India Three of the Face Detection models being used by #DigiYatra app match the files in this 6 year old Github repo.

Can someone who works with FRT point to the OG source?

github.com/rnc-archive/rn…

@MoCA_GoI @JM_Scindia @DigiYatraOffice @PIB_India Found more matching models in this Jul 2022 Github issue.

github.com/flutter-ml/goo…

@awscloud Dataevolve Solutions is an AWS Advanced Tier Services Partner which made it easy to launder ~36crores of e-challan scam proceeds via @awscloud by reselling their services.

AWS even quoted Avinash Kommireddi in their PR blast ~2 months before his arrest.

aws.amazon.com/blogs/publicse…

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official This is such a brazen scam.

Wonder how @Razorpay didn't notice there was a company registered with ROC that was almost infringing on their trademark.

And it took ~5 years for the AP govt/police to realise that RAZORPE is not RAZORPAY!

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay How hard is it to do a search and replace on a codebase?

Very hard for @DigiYatraOffice apparently.

The new #DigiYatra app still has multiple references to the "old" Dataevolve app's APIs/URLs.

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay Hey @awscloud

Does you charge for censorship by the URL or by words/bytes?

What support plan is @DigiYatraOffice on that offers such prompt CensorshipAsAService to eliminate all traces of links between #DigiYatra and Dataevolve Solutions OPC Pvt Ltd?

aws.amazon.com/partners/succe…

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay . @awscloud only does that redirect for censored articles.

Non-existent articles result in a 404.

For eg. This URL I made about about AWS Censorship As A Service returns a 404.

aws.amazon.com/partners/succe…

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay Thankfully for us and not so thankfully for @awscloud and the morons at @DigiYatraOffice...

THE INTERNET NEVER FORGETS!

Here's Google and Duckduckgo returning proof in the top result that URL existed until recently when you search for " digiyatra" aws.amazon.com

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay And here's @internetarchive doing what they do best!

A full and permanent archive of the "Partner Success" from October 2023 that @awscloud and @DigiYatraOffice no longer want the world to see because of Dataevolve's legal troubles since November 2023.

web.archive.org/web/2024011006…

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive #OfficialCourtDocuments #DigiYatra #APeChallanScam

Avinash Kommireddi "One Person" behind Dataevolve Solutions OPC Pvt. Ltd was "languishing in jail" between 21/11/2023 and 05/02/2024,

h/t @HazelnutCrumb for wresting this and other docs from the eCourts website.

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Lo and behold!

The "old" Dataevolve #DigiYatra app has been "upgraded" to 3.5.0 and the corresponding API gateway is also "functioning" again and users are being notified to install the "new" #DigiYatra DigiYatra app!

api-ssi.dataevolve.in

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Some context.

The 3.4.0 build of "old" Dataevolve #DigiYatra App was 45MB.

The 3.5 "upgrade" is only 13.1MB probably because it only contains a link to install the "new" DYF #DigiYatra App.

$ du -sh Digi\ Yatra_3.4.0_apkcombo.com.apk
45MDigi Yatra_3.4.0_apkcombo.com.apk
$

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb FWIW the other Dataevolve URL is still not functional.

This URL is found in both the old and new #DigiYatra apps.

verifier.dataevolve.in:1003

@awscloud @DigiYatraOffice @MoCA_GoI @JM_Scindia @AAI_Official @Razorpay @internetarchive @HazelnutCrumb Tried to find out why DYF's #DigiYatra 4.1 was ~30% larger than Dataevolve's #DigiYatra 3.4...

It's because they are now supporting x86 and x86_64.

Can understand x86_64(Chromebooks/laptop+tablet hybrids etc.) but who exactly are they targetting with x86 in 2024?

Hey @DigiYatraOffice!

Please be advised that it is customary to make such statements on April 1st alone.

Not so funny on other days.

From play.google.com/store/apps/det…

@DigiYatraOffice @awscloud Youtube also throws some curveballs...

"Digi Yatra CEO Avinash Komireddy Special interview"

@DigiYatraOffice @awscloud @NICMeity Found all 12 matching file names in a completely unrelated iOS app.

These models are probably shipped in some archive that doesn't show up in search results.

But shouldn't be too hard to find them now considering so many apps are using them.

@DigiYatraOffice @awscloud @NICMeity Still haven't found the source.

But I can now confirm that #DigiYatra and Dataevolve did not build or optimise any of the 12 face recognition related models that are shipped with the #DigiYatra app.

Found all 12 models from 2 different sources.

@DigiYatraOffice @awscloud @NICMeity Instead of explaining to the public why they had to so unceremoniously dump the old #DigiYatra app and the status of their partnership with Dataevolve Solutions OPC Pvt Ltd....

@DigiYatraOffice is paying influencers to promote their new app.

Supported architectures and file sizes of various #DigiYatra apps is uh-"interesting"...

Feb 20th - 3.4.0 / 45MB - armeabi-v7a, arm64-v8a

Apr 1st - 4.1 / 57MB - armeabi-v7a, arm64-v8a, armeabi, x86, x86_64

Apr 3rd - 3.5.1 / 22MB - arm64-v8a

The #DigiYatra app "upgrade" resulted in their app going from 3.3 million installs to mere 230k.

Can you imagine any startup culling their install base acquired over years like this and no heads rolling at the very top?

But @DigiYatraOffice has zero accountability to anyone.

@DigiYatraOffice This is same drivel about "no motive for making money" that @DigiYatraOffice 's hand picked partner Dataevolve Solutions OPC Pvt Ltd fed AP Police while bidding for Re.1 for a Rs 2 crore tender.

Their "noble cause" turned to be siphoning away 36+ crores.

@DigiYatraOffice Some more forensics....

The @DigiYatraOffice website was down for updattion sometime last month sometime around March 6th/7th(depending on timezone.)

@DigiYatraOffice What else did @DigiYatraOffice 's "Mad Designer" do as part of the update?

Just very normal logical things...

They moved their website hosting from @awscloud (with Amazon Cloudfront CDN) to fscking @GoDaddy!

@DigiYatraOffice @awscloud @GoDaddy Where do you think the official website of @DigiYatraOffice, #ProudlyIndian crown crown jewel of #DigitalIndia physically located?

Phoenix, USA!

Nothing says #DigitalIndia like being unable to host a basic website in the country! Right @GoI_MeitY?

@DigiYatraOffice @awscloud @GoDaddy @GoI_MeitY The old @DigiYatraOffice website IPs on @awscloud have a sub-10 millisecond latency within India as AWS Cloudfront CDN has POPs with all major ISPs.

The new @DigiYatraOffice website IP is located half way across the world in USA and has latency of ~250ms

@DigiYatraOffice @awscloud @GoDaddy @GoI_MeitY The "new" DYF #DigiYatra app's API endpoint was stood up on 24th March.

26th March @DigiYatraOffice announced week long outages at all airports.

1st April DYF rolled out the botched "upgrade" which required all 3.3 million users to uninstall their app.

Oh boy! The Dataevolve Solutions rabbit hole goes so much deeper... much much deeper!

Strap in for a WILD RIDE!

They have been operating a lot more than just DigiYatra on their own domain.

(Not all are currently active but have been in the past.)

Gail Gas - @gailindia

is still live. gailgas.dataevolve.in

Genesys - Probably @Genesysmaps who use that domain ( and less likely @igenesys or @Genesys )

Looks like an S3 bucket manager. igenesys-s3.dataevolve.in

Can't find an official announcement but @MinistryWCD seems to have used Dataevolve for their "Pradhan Mantri Matru Vandana Yojana" website(and likely app too?)

is identical to

This in itself may be innocent with UAT and all... uat-pmmvy.dataevolve.in
pmmvy.wcd.gov.in

@MinistryWCD But what's really worrying is only one of the two "Download" buttons point to the Google Play store.

The "Download PMMVY App" button is a direct link to an APK hosted on the same site.



WTF! @MinistryWCD #DigitalIndia #FAIL pmmvy.wcd.gov.in/apk/PMMVYsoft.…

@MinistryWCD . @MinistryWCD have made sideloading the only option and haven't bothered to publish the app to Play Store. (Or pulled it for some reason.)

Google Play website autocompletes for both "PMMVY" and "Pradhan Mantri Mat" but there are no matching apps in the search results.

@MinistryWCD And here's @smritiirani Hon'ble Minister @MinistryWCD boasting about how PMMVY's new portal and app are promoting #DigitalIndia but makes no mention of Dataevolve's role in this.



pib.gov.in/PressReleaseIf…

@MinistryWCD @smritiirani Hey @UIDAI @ceo_uidai @NCIIPC

@NICMeity @GoI_MeitY @Rajeev_GoI

Are these "production" license keys issued to @MinistryWCD's PMMVY program considered secrets?

If so you may want to revoke them ASAP as they are compromised. #DigitalIndia #Secrets

@MinistryWCD @smritiirani @UIDAI @ceo_uidai @NCIIPC @NICMeity @GoI_MeitY @Rajeev_GoI The @MinistryWCD's PMMVY UAT portal hosted on Dataevolve Solutions' domain has gone live about a month before the PMMVY portal launch event and press release linked earlier.

So it's very likely they landed contract for the new portal.

Did they bid Re 1 for this contract too?

Switching back to #DigiYatra analysis...

Old "Digievolve" app had 2 trackers and reqd 12 permissions (Dec '23).



New "DYF" app has 2 trackers and needs 16 permissions. (Apr '24)

reports.exodus-privacy.eu.org/en/reports/429…
reports.exodus-privacy.eu.org/en/reports/429…

Here are the...

- 12 permissions common to both apps.

- 4 permissions only in the new app.

So @DigiYatraOffice has always had access to READ and WRITE/MODIFY ***ALL THE DATA*** on your device.

Yes that includes data of other apps installed on your phone.

WRITE_EXTERNAL_STORAGE
READ_EXTERNAL_STORAGE

From developer.android.com/training/data-…

@DigiYatraOffice Can Suresh/@DigiYatraOffice or someone using the "new" #DigiYatra app confirm why it needs "RECORD_AUDIO"/Microphone access?

@DigiYatraOffice It's a common misconception that all Android apps need READ/WRITE to storage permissions for their regular functioning as they would need to read/write their own data to storage.

This is not true.