Why Experts Want The Government To Release The Source Code Of Its Tracing App

High Angle View Of Smart Phone Getting Charged On Table
Image: Getty Images

The Australian government’s coronavirus tracing app is set to be released soon but it hasn’t been without its fair share of controversy due to privacy concerns and a lack of clarity over whether it will be mandatory. The latest concern is that the app’s technical details might not be fully revealed for scrutiny prior to its public release and data security experts are concerned about what that could mean.

As more information comes to light about the government’s soon-to-be-released tracing app, which will allow the government to trace who has had contact with a person infected with coronavirus, industry experts are calling for the full source code of the app to be released to the public, so that experts can help locate vulnerabilities.

It follows confusion over whether the government plans to release the source code.

On April 18, Government Services Minister Stuart Robert said the source code for the government’s coronavirus contact tracing app would indeed be released so that the entire process could be “transparent”.

“The source code will be open for everyone, any university or tech company can go through the source code and provide any updates or guidance to the Government that they wish to,” Robert said in a doorstop interview.

“[It] will be laid open for everyone to see with absolute transparency. So people will see there’s no hidden agenda, there’s no surveillance, there’s no geo-tracking. There’s none of that.”

But days later, Minister for Health Greg Hunt declined to reiterate his promise adding that a full release would still be subject to any hacking concerns.

“Everything that can safely be released will be released,” Hunt said on Triple M’s The Spoonman.

“[It’s] subject to making sure we are protecting everybody’s data, which is the first task, all the details of it will certainly be released and made available and public.”

Gizmodo Australia contacted the government department to confirm the timeline of the source code’s release in relation to the app being publicly available and whether the full source code will be released or just a part of it.

“The government intends to release the source code for the app. Subject to cybersecurity advice, the government will not be releasing any code that could compromise privacy or security for both Australians using the app and state health authorities, such as encryption keys,” a spokesperson for Services Australia told us over email.

It did not provide an expected timeline for its release.

Australia's Coronavirus Tracing Apps Are On The Way But User Privacy Remains A Concern

The race to contain coronavirus is underway in Australia. While local efforts to trace confirmed cases has likely resulted in a decline in spread, it's an intensive operation authorities are looking to streamline. One way to automate that process is through the use of mobile phone apps but its prompting concerns over privacy.

Read more

What is a source code?

Simply put, an app’s source code is a set of rules, written in programming languages, that help it to work and look the way it’s meant to.

“Source code is what programmers write programs in,” said Professor Ben Rubinstein, a University of Melbourne data privacy expert, pointing to Python or Java as the most common programming languages they’re written in.

Despite source codes being described as ‘plain language’ for those who know how to speak it, they need to be translated into more technical codes so devices can read and execute them.

“To turn [a source code] into an app for your phone, it gets translated into a language the phone understands — ‘machine code’. Machine code is much harder for humans to read and understand than source code, in the same way a message written in morse code is harder for most people to read than if it were written in English,” Professor Richard Buckland, a cybercrime expert at UNSW, said to Gizmodo Australia over email.

Think of them as the instructions that make your app do all the impressive things it does, added University of Wollongong’s Professor Katina Michael.

A tool for laying out the app’s potential vulnerabilities

Source codes are often broken up into two distinct categories — open source and closed source. As the descriptors imply, one set of code is publicly released and available for anyone to study, use and customise to their will, the other is not.

“Programming is prone to errors, especially when it comes to big software and security-critical software. It is good security practice to not hide how a program or software works,” Dr Asghar, an information security researcher at Macquarie University, said to Gizmodo Australia.

“One way to hide is to not release the source code.”

Singapore’s government contact tracing app, TraceTogether, which launched on 20 March, was recently made open source allowing researchers from around the world to dive into the code and look for any vulnerabilities as well as figure out what data is available and who can access it.

Professor Rubinstein worked with Dr Asghar and other Australian researchers on the TraceTogether source code and found while it met a lot of basic privacy tenants, it didn’t address some issues with government access to the data.

“While many features of TraceTogether are laudable — the use of Bluetooth to observe proximity to other people without the use of privacy-sensitive GPS location — privacy experts have pointed out areas for improvement,” Professor Rubinstein told Gizmodo Australia.

“While TraceTogether provides privacy from other users, it does not provide sufficient privacy from the government or any third-party servers it may use.

“A better solution would be a more de-centralised approach.”

Without TraceTogether’s source code being made available, the task of pulling a part an app would be made much more laborious for researchers.

Releasing a source code doesn’t necessarily invite hackers

The Australian government has cited the code’s release would be subject to any cybersecurity risks but experts agree that the benefits outweigh these potential concerns.

“Some want to make the claim that releasing open source code makes software vulnerable to hacking but this is not the case when we consider that ‘security’ should be embedded into the functional design specification of any new software,” Professor Michael said.

Plenty of closed source apps and programs have been hacked thanks to reverse engineering, Professor Buckland added, so not releasing a source code doesn’t really make it any safer.

“It’s important to realise that you don’t need to be given the source code to be able to work out what it is. There are many tools to help moderately talented programmers take the app from their phone and ‘reverse engineer’ it to work out the source code from the app’s machine code,” Professor Buckland said.

“Not handing out the source code just makes it a bit more of a bother for people to examine the code for weaknesses but it doesn’t actually stop anyone determined, such as bad guys. [Not releasing the source code] would likely turn the thousands of friendly eyes helping you into just tens.”

Instead, inviting more eyes to search for any issues with the app can help to find flaws developers didn’t know were there. It’s certainly been the case for successful bounty programs around the world, including Apple, Facebook and Google‘s, where ‘white hat’ hackers — the good guys — scour codes looking for any areas that might be susceptible to hackers with bad intentions.

Professor Michael added it gives more control to Australians who might consider using the app, knowing it’s been vetted by people outside of a central authority like the government.

“[It] creates a sense of community-oriented development, and as a result is a good way to learn how to make better software. If the open source code has been created by citizenry, it grants the people ‘power’ as opposed to corporations or governments,” Professor Micheal said.

How Singapore's Coronavirus Tracking App Works

On March 20 Singapore released a mobile app to help track the spread of novel coronavirus. Over 620,000 people signed up within a week, and the developers have been making an open source version ever since to help other countries develop their own versions. Here's how TraceTogether actually works.

Read more

Lack of government transparency could point to issues with the app’s architecture

While the government has not stated how long the app has been in production, confirmation of its existence was only made public in mid-April. This means the app’s production process, like other announcements made around the world, may have been relatively short.

It’s a concern Dr Asghar believes could be behind any reluctance to release the full source code.

“One main reason could be that the app and its underlying infrastructure is being developed in a relative hurry, without comprehensive testing of the code and security analysis of the protocol,” Dr Asghar said.

“Under normal circumstances, this should only be done after comprehensive testing and security analysis. There could, therefore, be security or privacy loopholes that no one has thought of right now, but could be discovered later.”

It’s an area the experts are concerned about due to the fact that hiding the app’s vulnerabilities is like sweeping something under the rug — hackers will always find a way.

“Hiding the code and legislating to keep it hidden will just hide the existence of problems from the public eye, until inevitable catastrophic failure occurs,” Professor Buckland said, adding that the problems could then later be found by the ‘bad guys’.

It’s not just finding the app’s flaws, however. Professor Rubinstein believed it was important for the public to understand what exactly they might be signing up to. Not just whether their data could be accessed by unknown actors.

“The Australian Government should follow Kerckhoff’s principle — that there’s no security through obscurity – and release its source code so that the public might better understand the privacy and security implications of sharing [their] data,” Professor Rubinstein said.

While the release of the full source code would be welcomed by Australia’s information security community and is at the heart of this discussion, it might not be enough.

The full source code’s release will likely answer many looming questions over the technology’s capabilities and vulnerabilities but Professor Michael would like to see the government commit further to full transparency.

“They need to include the ‘full’ source code. Ideally, this would include Application Programming Interfaces (APIs) and corresponding ‘libraries’ that are called on within the lines of code,” Professor Michael said.

“Of particular emphasis is the cryptographic element used to ‘encrypt’ the proximate physical social network of the end-user — additionally, what communications protocols and standards are being used to pass information between devices, and from device to the centralised storage.”

She added that an initial release of this information is necessary but to ensure things are’t later changed down the track, an independent body would need to monitor any changes made to the app while it’s in use.

“By doing so, all changes to the original source code can also be monitored by an independent oversight body,” Professor Michael said.

Details of how the app will function still remain limited

The source code discussion is just the latest in a string of mixed messages about what exactly the parameters of the app will be. After it was raised the app’s uptake would need to meet a certain percentage of the population in order to be useful, Prime Minister Scott Morrison declined to rule out making the app mandatory.

He later backtracked on those comments confirming via Twitter the app would not be mandatory.

While the government has yet to publicly release any prototypes or screenshots, the government confirmed to Gizmodo Australia it was modelled on Singapore’s TraceTogether app.

Using Bluetooth technology, Australians who download the app would ping with other devices using it when within range for at least 15 minutes. This data will be encrypted within the phone for 21 days and if a user later tests positive with coronavirus, health authorities will be able to download the infected user’s log, including names and phone numbers, of anyone who had been within range of them during the infectious period. They would then be able contact those potential cases and order isolation periods and testing.

The government has repeatedly stated location data will not be captured by the app. Without the source code, however, it’s just a matter of trusting politicians who admit they have limited technical understanding.

Most Of Us Won’t Download The Coronavirus Contact Tracing App Unless Everyone Does

As governments look to ease general social-distancing measures and instead use more targeted strategies to stop coronavirus transmission, we face a social dilemma about the limits of cooperative behaviour.

Read more