Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

Using a newly developed tool called COVIDGuardian, which was designed for both static and dynamic program analysis, academic researchers with universities in Australia and the United Kingdom analyzed 40 worldwide Android contact tracing apps and discovered potential security risks in more than half of them.

COVIDGuardian, an automated security and privacy assessment tool, was used to assess the security performance of the analyzed applications against four categories, namely manifest weaknesses, general security vulnerabilities, data leaks (with a focus on personally identifiable information), and malware detection.

Identified issues, the researchers say, include the use of insecure cryptographic algorithms (72.5%), the storing of sensitive information in clear text (55%), insecure random values (55%), permissions to perform backups (roughly 42.5% of apps), and the inclusion of trackers (20 trackers were identified in approximately 75% of the apps).

The research has revealed that the security of these apps is only slightly influenced by the use of a decentralized architecture, but also the fact that users are more likely to install a contact tracing app that has stronger privacy settings.

After being contacted by the researchers, some of the application developers addressed identified issues, including the leak of information and the inclusion of trackers. Other apps, however, were found to include even more vulnerabilities and trackers after they were updated.

The researchers also conducted a survey of more than 370 people regarding the use of contact tracing apps, their concerns, and their preference on centralized or decentralized apps.

“Security and privacy concerns have been a big issue affecting the uptake of these apps,” said Dr Gareth Tyson, senior lecturer at Queen Mary University of London and one of the authors of the study. “We were surprised that the debate around decentralised vs centralised apps didn’t seem so important and, instead, users were more focused on the exact details of what private information is collected. This should encourage developers to offer stronger privacy guarantees for their apps.”

Related: Singapore Admits Police Can Access Contact-Tracing Data

Related: New Trials in England for Troubled Virus Tracing App

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?