Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

An analysis of 40 COVID-19 contact tracing applications for Android has led to the discovery of numerous security and privacy issues, according to a new research paper.

Contact tracing applications have been created to help authorities automate the process of identifying those who have been in close contact with infected individuals.

Using a newly developed tool called COVIDGuardian, which was designed for both static and dynamic program analysis, academic researchers with universities in Australia and the United Kingdom analyzed 40 worldwide Android contact tracing apps and discovered potential security risks in more than half of them.

COVIDGuardian, an automated security and privacy assessment tool, was used to assess the security performance of the analyzed applications against four categories, namely manifest weaknesses, general security vulnerabilities, data leaks (with a focus on personally identifiable information), and malware detection.

Identified issues, the researchers say, include the use of insecure cryptographic algorithms (72.5%), the storing of sensitive information in clear text (55%), insecure random values (55%), permissions to perform backups (roughly 42.5% of apps), and the inclusion of trackers (20 trackers were identified in approximately 75% of the apps).

The research has revealed that the security of these apps is only slightly influenced by the use of a decentralized architecture, but also the fact that users are more likely to install a contact tracing app that has stronger privacy settings.

After being contacted by the researchers, some of the application developers addressed identified issues, including the leak of information and the inclusion of trackers. Other apps, however, were found to include even more vulnerabilities and trackers after they were updated.

The researchers also conducted a survey of more than 370 people regarding the use of contact tracing apps, their concerns, and their preference on centralized or decentralized apps.

Advertisement. Scroll to continue reading.

“Security and privacy concerns have been a big issue affecting the uptake of these apps,” said Dr Gareth Tyson, senior lecturer at Queen Mary University of London and one of the authors of the study. “We were surprised that the debate around decentralised vs centralised apps didn’t seem so important and, instead, users were more focused on the exact details of what private information is collected. This should encourage developers to offer stronger privacy guarantees for their apps.”

Related: Singapore Admits Police Can Access Contact-Tracing Data

Related: New Trials in England for Troubled Virus Tracing App

Related: COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...