While the source code for the government’s new coronavirus tracing app isn’t available yet, it doesn’t mean you can’t take a peek. Some devs have already taken to Twitter to share what they’re finding hiding beneath the surface of the app. And for the most part, it’s good news.
COVIDSafe Source Code
Mobile app developer expert Matthew Robins began tweeting his findings on Sunday night after COVIDSafe was released to the public. He was able to tear down the app by using opensource tools such as apktool and JadX.
For anyone concerned with privacy, the majority of what Robbins found aligned with what has been publicly announced, in regards to how the app handles data and privacy. Robbins found that COVIDsafe data is not accessible by other applications, the device name is not broadcast and data has to be manually uploaded via a one-time pin request.
He also found that data is indeed deleted off the app after 21 days and that data is transmitted via HTTPS to an Amazon Web Services instance that is secured with key pair.
This means data is secured using the operating systems security mechanisms and *is not* accessible by other applications.
Unless you have a jail-broken device or have deliberately unlocked root permissions, the data collected by #covidsafe is secure.
— Matthew Robbins (@matthewrdev) April 26, 2020
In terms of data transmission and remote storage, the app requires that the user manually uploads the data.
The only place in the app that transmits the data is the UploadDataUseCase: pic.twitter.com/gg4GwnJdKh
— Matthew Robbins (@matthewrdev) April 26, 2020
#covidsafe then uses a BluetoothLeScanner to watch for other devices that broadcast the apps known SSID.
Basically, #covidsafe only picks up and records other phones that have given their permission to broadcast.
This implementation is vanilla Android and is industry standard. pic.twitter.com/wncdsr5scf
— Matthew Robbins (@matthewrdev) April 26, 2020
Data is stored locally in a SQLite database using the RoomDatabase API.
This places collected data inside the apps internal storage, a secure part of your phone strictly private to #covidsafe. pic.twitter.com/u8y8mo8WUu
— Matthew Robbins (@matthewrdev) April 26, 2020
After sharing some of his findings and insights, he concluded that he was happy with what he has found in the COVIDSafe source code.
From what I can see, everything in the #covidsafe app is above board, very transparent and follows industry standard.
I’d interested in hearing perspectives on the app from my tech friends. Please chime in if you are also having a dig around and find something of note ????
— Matthew Robbins (@matthewrdev) April 26, 2020
It’s worth noting that another expert in area, Geoffrey Huntley, has also done a teardown of the app and has created a discord server as well as a 50-page document regarding COVIDSafe that is free for anyone to join and read, respectively.
Robbins went on to make some good points about digital literacy in 2020. He voiced concerns over people worrying so much about this app while also potentially downloading other apps and games that require access to far more personal data.
People downloading the latest freemium games but being worried about an app designed to suppress an pandemic is akin to worrying about a gluten free diet while smoking a pack a day ????
— Matthew Robbins (@matthewrdev) April 26, 2020
Of course, data privacy isn’t a zero sum game. While instances like the Cambridge Analytica scandal reminded us why auditing our app permissions regularly is important, people’s concern over government access is still understandable ” particularly when you take the issues around My Health Record, RoboDebt and our data retention and anti-encryption laws into account.
It’s also worth noting it is very early days for analysis of the code, and the government has not as yet released source code for the developer community to explore.
But this doesn’t mean it’s all good
While these tear downs have confirmed much of what the government has said around how the app works, other experts in field still have some security concerns. For one, they are reporting that not all of the data transmitted or stored by COVIDSafe is actually encrypted.
4/4: Both systems send and store the exact model of the phone you’ve received an encrypted ID from. This is sent unencrypted over Bluetooth and stored unencrypted in the phone’s logs. Singapore’s FAQ at least mention this; the Aus privacy policy doesn’t.#covidsafe #auspol
— Vanessa Teague (@VTeagueAus) April 26, 2020
In a real world context, this means that someone could theoretically be able to identify a person by the phone model as this information is not encrypted. While this may not be such a big problem in crowds, it’s worth thinking about situations where you’re in the vicinity of someone for 15 minutes or more ” which is the time the app needs to log another user.
Something like this does have the potential to be misused, particularly in abusive relationships.
Teague, along with Chris Culnane, Eleanor McMurtry and Robert Merkel have expanded on this issue in a blog on GitHub.
[referenced url=”https://gizmodo.com.au/2020/04/how-australias-covidsafe-app-actually-works/” thumb=”https://gizmodo.com.au/wp-content/uploads/2020/03/coronavirus-app-australia-android-iphone-410×231.jpg” title=”How Australia’s COVIDSafe App Actually Works” excerpt=”The government released its coronavirus tracing app over the weekend, after weeks of questions around what tech it would use and how it would treat user privacy. While there is still some confusion, particularly in regards to iOS functionality, we do have some of the answers now.”]