On Wednesday night five tech experts hosted a COVIDSafe App Teardown & Panel Discussion to present and explain their findings after looking into the code of the government’s new COVIDSafe app. Despite issues with the app on iOS as well as general fears around security and privacy, the vast majority of what the experts had to say was positive.
The panel consisted of Troy Hunt (Pluralsight Information Security Author & Instructor, founder of Have I Been Pwned), Matthew Robbins (Mobile development expert, creator of MFractor), Geoffrey Huntley (open source software engineer & developer advocate), Kate Curruthers (Chief Data & Insights Officer at UNSW) and Alec Tucker (Mobile Architect & Consultant, co-founder of Obiquitech).
Over the course of two hours the experts presented what they have found while digging into the code, as well as their insight on the app’s security, privacy and effectiveness.
While the Australian government has promised to release the source code for COVIDSafe, this is yet to happen. But devs performing their own teardowns in the meantime can help dispel some of the fear surround the app.
As Robbins already pointed out in a Twitter thread, the code confirms what the government has said around how the app stores and uploads your data, as well as how long your phone holds onto it for.
Robbins also confirmed during the panel that the app does not broadcast device names and does not scan for bluetooth signals on other devices other than that of COVIDSafe. This is all good news for users, because it means the app is doing what the Morrison government said it would. And perhaps this makes sense — particularly after big technical mishaps such as the 2016 census, My Health Record and Robodebt. The government had to know that people were expecting them to mess this up too.
“There’s an enormous amount of scrutiny on this app,” said Kate Curruthers, Chief Data & Insights Officer at UNSW.
Curruthers went on to voice general approval of the app saying, “[It] takes a sensible approach to security and a sensible approach to privacy.” Curruthers also noted that she will be downloading the app once legislation around it is put in place in May. All other panelists have already downloaded COVIDSafe.
It's had a mixed reception due to confusion around how it works on iOS and concerns around it affecting battery life. But there have also been positives, such as some devs discovering that the privacy of the app was better than expected. But one of the lesser highlighted issues is how many rural Australians aren't able to register for the app at all.Read more
Another concern around the app is how it was rushed to market, but the panelists had only positive things to say here also.
“Its been built quite well from an engineering and architectural perspective… under the hood its been built well.” said Robbins.
“Is it rushed? I’m not sure that’s relevant. I’m seeing good engineering quality.”
The panelists also did a good job of explaining how the app works on Android as well as why it differs on iOS. It is our understanding that some of the devs are currently diving even deeper into the iOS code with the help of Joel Kek, an engineer who worked on TraceTogether – Singapore’s contact tracing app that COVIDSafe is based on. Kek particularly worked on the BlueTrace protocol and the iOS version of the app.
The COVIDSafe App Teardown & Panel Discussion is available to watch below. If you want to know more you can check out Huntley’s incredibly thorough compilation of teardown results in this Google doc. There is also a public Discord channel where devs are discussing their findings.