Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

Using a newly developed tool called COVIDGuardian, which was designed for both static and dynamic program analysis, academic researchers with universities in Australia and the United Kingdom analyzed 40 worldwide Android contact tracing apps and discovered potential security risks in more than half of them.

COVIDGuardian, an automated security and privacy assessment tool, was used to assess the security performance of the analyzed applications against four categories, namely manifest weaknesses, general security vulnerabilities, data leaks (with a focus on personally identifiable information), and malware detection.

Identified issues, the researchers say, include the use of insecure cryptographic algorithms (72.5%), the storing of sensitive information in clear text (55%), insecure random values (55%), permissions to perform backups (roughly 42.5% of apps), and the inclusion of trackers (20 trackers were identified in approximately 75% of the apps).

The research has revealed that the security of these apps is only slightly influenced by the use of a decentralized architecture, but also the fact that users are more likely to install a contact tracing app that has stronger privacy settings.

After being contacted by the researchers, some of the application developers addressed identified issues, including the leak of information and the inclusion of trackers. Other apps, however, were found to include even more vulnerabilities and trackers after they were updated.

The researchers also conducted a survey of more than 370 people regarding the use of contact tracing apps, their concerns, and their preference on centralized or decentralized apps.

Advertisement. Scroll to continue reading.

“Security and privacy concerns have been a big issue affecting the uptake of these apps,” said Dr Gareth Tyson, senior lecturer at Queen Mary University of London and one of the authors of the study. “We were surprised that the debate around decentralised vs centralised apps didn’t seem so important and, instead, users were more focused on the exact details of what private information is collected. This should encourage developers to offer stronger privacy guarantees for their apps.”

Related: Singapore Admits Police Can Access Contact-Tracing Data

Related: New Trials in England for Troubled Virus Tracing App

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights