Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

Using a newly developed tool called COVIDGuardian, which was designed for both static and dynamic program analysis, academic researchers with universities in Australia and the United Kingdom analyzed 40 worldwide Android contact tracing apps and discovered potential security risks in more than half of them.

COVIDGuardian, an automated security and privacy assessment tool, was used to assess the security performance of the analyzed applications against four categories, namely manifest weaknesses, general security vulnerabilities, data leaks (with a focus on personally identifiable information), and malware detection.

Identified issues, the researchers say, include the use of insecure cryptographic algorithms (72.5%), the storing of sensitive information in clear text (55%), insecure random values (55%), permissions to perform backups (roughly 42.5% of apps), and the inclusion of trackers (20 trackers were identified in approximately 75% of the apps).

The research has revealed that the security of these apps is only slightly influenced by the use of a decentralized architecture, but also the fact that users are more likely to install a contact tracing app that has stronger privacy settings.

After being contacted by the researchers, some of the application developers addressed identified issues, including the leak of information and the inclusion of trackers. Other apps, however, were found to include even more vulnerabilities and trackers after they were updated.

The researchers also conducted a survey of more than 370 people regarding the use of contact tracing apps, their concerns, and their preference on centralized or decentralized apps.

“Security and privacy concerns have been a big issue affecting the uptake of these apps,” said Dr Gareth Tyson, senior lecturer at Queen Mary University of London and one of the authors of the study. “We were surprised that the debate around decentralised vs centralised apps didn’t seem so important and, instead, users were more focused on the exact details of what private information is collected. This should encourage developers to offer stronger privacy guarantees for their apps.”

Related: Singapore Admits Police Can Access Contact-Tracing Data

Related: New Trials in England for Troubled Virus Tracing App

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.