New Tool Discovers Security and Privacy Vulnerabilities in COVID-19 Contact Tracing Apps

Last Updated: June 1, 2021

The COVID-19 pandemic threw the world into disarray. Its effects were and are still devastating, pushing many countries to the edge of a recession. In response, various countries of the world are working assiduously to find a solution to the menace. One of such solutions is the covid-19 tracing apps.  

What are COVID-19 Contact Tracing Apps?

Tracing apps are in the league of digital responses countries are giving to the pandemic. While scientists and researchers are working on finetuning the vaccines already in existence, tech gurus have also thrown in their weight through creating the COVID-19 tracing apps. 

A COVID-19 tracing app is an app that ‘traces’ infected persons in a line of transmission. These apps are installed on smartphones of every type. Hence, you can find its variants for the Android and iOS class of devices. They typically utilize the Google/Apple Exposure Notification (GAEN) System. 

Here, it works with the Bluetooth of both devices, connecting users who have downloaded the apps and are in close proximity (within 2 meters) of each other. The app would notify a user if the other connected person tested positive for the virus. (The person who tested positive would have to enable their settings to allow the app to send notifications to persons who are within their vicinity.) The exposed person can then take the appropriate steps, i.e., either get tested or quarantined. 

Other variants of the apps use wireless technology or GRP in place of Bluetooth. For the more sophisticated versions, features which help with self-assessment of daily physiological status, monitoring of temperature, heart rate, etc., are also present.

On their own, contact tracing apps may not win the battle against the pandemic. However, they could make a significant impact when paired with strong regulatory policies and strategies. More so, they could even become further effective if they receive legislative/political backing of some sort.

Privacy/Security Concerns with Contact Tracing Apps

One key concern regarding the COVID-19 tracing apps is the possibility of breaching the privacy of its users. Much like various other apps in use today, the problem of security breaches is at the front burner of citizens’ concerns. In fact, in a survey carried out by researchers from Queen Mary’s University London, volunteers stated that privacy is their biggest concern while downloading a tracking app. This survey of over 370 individuals revealed that people placed more premium on their privacy than the apps’ effectiveness. 

Generally, the GEAN system is structured in such a way that it protects the privacy of users. It prevents the sharing of data to health authorities or the government. This helps address a key concern of users. Typically, sharing data with the government leads to a slippery slope where the data can be used even for monitoring and censorship.

However, some tracing apps require access to the user’s contact list before installation is complete. Many others state expressly that they would utilize the device location, password, IP address, and data generated by the user. More so, only a handful of providers go the extra mile of encrypting users’ data and keeping the data anonymous the entire period.

Furthermore, privacy risks and exposure is determined by whether the app uses a decentralized or centralized storage system. In a centralized system, users’ data is localized. Every information generated by each app is uploaded to a central server. Here, health authorities have access to the data, which form critical statistics for creating solutions to the pandemic.  It also works to enable the authorities to keep track of and provide treatment to infected persons. 

On the other hand, in a decentralized system, most of the data is retained on the user’s phone. Snippets are then uploaded to external servers from time to time. This system is more privacy-friendly. However, a centralized approach is more useful to the health authorities, especially for diagnosing and treating the virus. 

The Response

In a proactive measure, several researchers have come up with a tool to identify and rectify the privacy challenges encountered with the COVID-19  tracing apps. This tool is known as COVIDGuardian. This privacy assessment tool runs checks on the apps. It looks out for malware, private information leakages, and embedded trackers. 

Since its inception, this tool has helped detect various security threats on these apps. Security experts utilized the software to analyze tracking apps and found, amongst other discoveries, that no less than 72.5 of the apps use at least one insecure algorithm, more than half of the apps contain trackers that feed information to third parties such as Google, and one app was found to contain malware. This survey was carried out by a team of researchers at Queen Mary University, London. They subsequently made their findings open to the public. In reaction to this, four of the apps under review fixed the challenges noted by the tool. Furthermore, one problematic app was removed entirely from the smartphones’ app stores.  

Conclusion

With the breakout of the COVID-19 pandemic, governments are taking all of the help they can find. COVID-19 tracking apps provide a means to forestall the spread of the virus. It also provides a means to track infected persons, stopping the further spread of the virus. However, as is common with software, some of the tracking apps had security issues. The COVIDGuardian was then evolved to detect and handle these security issues.