On Sunday, the government launched its coronavirus tracing app, COVIDSafe. Built by the Digital Transformation Agency and the Australian Health Department, it is designed to help digitally contact trace people who have come into contact with confirmed COVID-19 cases. COVIDSafe has utilised code from Singapore’s similar app, TraceTogether.
There were significant questions marks in the lead up to the launch – from whether bluetooth or GPS would be utilised, how private the data collection would be and whether the app would be mandatory. While these questions have now been answered, a rocky launch and differences between how the app runs on iOS and Android have raised fresh concerns.
The launch itself got off to a rocky start, with the app becoming available at 3pm AEST on Sunday but registration not opening until 6pm AEST. Alongside the app is a website with a robust FAQ regarding how the app works and how it handles data and privacy.
How The COVIDSafe App Works
COVIDSafe requires a user’s name, mobile number, postcode and age range at sign up. This information is stored on the app.
When the app is running COVIDSafe uses Bluetooth to broadcast ‘digital handshakes’ to identify two individuals who come within 1.5 metres of one another for at least 15 minutes – it will log a ‘encrypted reference code’ of each user it comes into contact with that fits these parameters.
This data is encrypted and stored on a user’s device for a rolling period of 21 days – after that it is automatically deleted.
If a user is diagnosed with COVID-19 during this 21-day window, they are able to consent to upload the encrypted data so the people they have come into contact with during that time can be alerted. This information will not be uploaded unless the users agrees to it and enters a PIN that will be sent to their phones.
If a user’s data has been uploaded, it can also be deleted (either by themselves or a confirmed case who has come into contact with them) via a Health web request form.
The Australian government's coronavirus tracing app is set to be released soon but it hasn't been without its fair share of controversy due to privacy concerns and a lack of clarity over whether it will be mandatory. The latest concern is that the app's technical details might not be fully revealed for scrutiny prior to its public release and data security experts are concerned about what that could mean.Read more
Despite the relative straightforwardness of how the app should work, some issues still remain.
CovidSafe iPhone Issues
iOS devices are currently unable to run the app in the same passive way as Android devices. This mimics the same issues that TraceTogether still has in Singapore.
The FAQ on the COVIDSafe website originally stated that the Android app works best when it is running in the background, which means you can “use your phone as normal”. While for iOS, the FAQ originally stated that you need to keep COVIDSafe open to work effectively.
Oh interesting the mentions of power saving mode and screen dimming on iOS devices has now been removed from this section of the COVIDSafe website pic.twitter.com/udvg1lYqVy
— ???????????????????? ???????????????????? (@Tegan_Writes) April 26, 2020
This FAQ was later updated to state that for the iOS app to work, it needs to be running and notifications need to be on while you are out in public – especially in meetings and public places. While, for Android, “in the background” was removed from the FAQ. This change of information has caused some confusion.
Earlier this month Google And Apple announced a partnership to enable the API of both operating systems to be able to work with one another to enable contract tracing. This approach will be designed as a framework for apps to be built around it.
While the government originally stated that it would not utilise Google and Apple’s joint API approach to contact tracing, it seems that this has now changed.
“The Government will work with Google and Apple to investigate whether the new functionality announced by Google and Apple partnership is beneficial for the app performance,” a spokesperson for minister for government services, Stuart Robert, said in a statement.
This may be necessary as at the present time iOS users need to remember to have the app open and running while also avoiding other bluetooth applications in order for the app to work effectively. According to Stat Counter, 53.98 per cent of mobile users in Australia are using iOS, so this issue has the potential to have a significant impact on the app’s ability to contact trace effectively.
CovidSafe Source Code
The source code for the app is currently not available publicly, although the government has said it will be released subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre. There has been some concern that the lack of transparency with the source code could be hiding vulnerabilities due to rushed development and launch of COVIDSafe.
Despite the source code not being released yet, some devs have already started digging into it via opensource tools such as apktool and JadX.