We’ve had concerns over the privacy and security implications of Covid-19 contract-tracing apps, and a new report suggests several apps built on top of a unified framework jointly developed by Apple and Google may have had several critical privacy flaws.
Unlikely allies Apple and Google had sought to reassure the public that their contact tracing APIs had privacy and security safeguards built in. They claimed no one would be able to use the tech to track user location or sell advertising.
How does the software work?
In order to identify exposure to Covid-19, the framework uses what the two companies called “rolling proximity identifiers,” or Bluetooth-enabled identity pings. The Bluetooth ID would change every 15 minutes, making it harder to identify individuals. The information collected is also stored locally and not in a cloud or physical server.
Apple and Google’s framework was adopted on a national level by both the UK and Canadian governments, as well as several state governments in the U.S., spanning tens of millions of users.
[Get more privacy stories in your inbox. Sign up for the ExpressVPN blog newsletter].
What is the security flaw?
The security flaw, which is only thought to affect the Android version of the contact-tracing app, was first identified by AppCensus, a company that conducts privacy analysis on apps. In its investigation, the firm found that the Bluetooth identifiers had started to share sensitive information with system-level applications.
AppCensus made the discovery as part of a contract with the U.S. Department of Homeland Security to analyze the security frameworks of the tool. The firm did not find any issues with the iOS version.
According to The Markup, which did a follow-up report on the issue, multiple pre-installed apps on Android devices such as Samsung Browser and Motorola MotoCare had access to such contact-tracing information. That’s because the framework was engineered to store the information in system logs, with pre-installed apps such as the two mentioned above having privileges to access the data, too.
The report added that up to 400 pre-installed apps built by companies such as Samsung, Motorola, and Huawei retain the functionality to read system logs for crash reports and analytic purposes. That’s precisely where the contact-tracing app was storing critical information.
AppCensus’s research team added that system logs included data such as whether a person came into contact with an individual that had a confirmed positive Covid-19 test. Some of the information might have been personally identifiable, such as a device’s name and MAC address. Theoretically speaking, the offending apps could have collected the data and sent it back to their parent company, but the researchers did not find any evidence that they did so.
How have Google or Apple responded?
The team first informed Google of its findings through a bug bounty program on Feb 19 and heard back from them almost a month later. AppCensus eventually got a second email from Google saying that they didn’t deem the flaw to be a significant risk and that they didn’t qualify for the bug bounty payout.
Google only took action after journalists reached out to it for more information and to corroborate AppCensus’s findings.
“We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this,” a Google spokesperson said in a statement.
Do you have a contact-tracing app? Let us know if you’re concerned about it in the comments!