COVID-19 Contact Tracing Apps

Are they securing user data properly?

Taba Zimmerman

On June 22, 2020, The Washington Post released an online article regarding coronavirus applications and their lack of security of users’ data. These contract tracing apps function by users self-reporting that they have tested positive for the coronavirus and the app then uses location data or anonymized Bluetooth signals to ping other users that they may have been in proximity and possibly exposed to the virus.

The article discusses how the apps are severely lacking in security and privacy protections, which make it easier for hackers to compromise the data users have stored in the app. The Washington Post reports that the developers of these applications did not implement strong digital protections that are standard on other applications dealing with sensitive personal or health related information, and some of these COVID-19 apps are even siphoning user data to third-party apps. These third-party applications could be used for targeted advertising or tracking across other non-related apps without user permissions.

"One thing that's happening with [coronavirus] is that people are giving even more of their information up as response to the crisis, or downloading an app," says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, a privacy advocacy group. "There aren’t the protections we need.”

GuardSquare published a study they performed where they assessed 17 Android mobile contact tracing applications, built by government entities, from 17 different countries. GuardSquare’s methodology for analyzing the apps for key mobile security protections included looking across two key categories of security and privacy protection:

  • Code hardening - a way of protecting APKs and SDKs from reverse engineering and hacking.

  • Runtime Application Self-Protection (RASP) - uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.

 While analyzing the apps for these two categories, they also searched for common security protections:

  • Name obfuscation

  • String encryption

  • Asset/resource encryption

  • Class encryption

  • Root detection

  • Emulator detection

The results of the study conducted by GuardSquare indicated that most contact tracing apps don’t employ sufficient security protections with only one of the applications being secure. These apps are intended to help us understand how the virus spreads, notify users if they came into contact with an infected person and to combat the spread of the virus. Was the urgency of getting these contact tracing apps to the market quickly, to slow down the spread of COVID-19 the reason developers didn’t focus so much on securing user data? A team effort from Apple and Google that was announced in April of this year states:

"Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy."

Sometimes, the fastest product to the market is not always the safest, and users should always be mindful of security and privacy when submitting sensitive information online or through mobile applications.

Always consider security when utilizing applications

Call BeCloud for questions and concerns regarding Application Security