Developer’s Twitter Thread Shows Why Australia’s Coronavirus App Security Isn’t As Bad As We Feared

Developer’s Twitter Thread Shows Why Australia’s Coronavirus App Security Isn’t As Bad As We Feared

While the source code for the government’s new coronavirus tracing app isn’t available yet, it doesn’t mean you can’t take a peek. Some devs have already taken to Twitter to share what they’re finding hiding beneath the surface of the app. And for the most part, it’s good news.

COVIDSafe Source Code

Mobile app developer expert Matthew Robins began tweeting his findings on Sunday night after COVIDSafe was released to the public. He was able to tear down the app by using opensource tools such as apktool and JadX.

For anyone concerned with privacy, the majority of what Robbins found aligned with what has been publicly announced, in regards to how the app handles data and privacy. Robbins found that COVIDsafe data is not accessible by other applications, the device name is not broadcast and data has to be manually uploaded via a one-time pin request.

He also found that data is indeed deleted off the app after 21 days and that data is transmitted via HTTPS to an Amazon Web Services instance that is secured with key pair.

After sharing some of his findings and insights, he concluded that he was happy with what he has found in the COVIDSafe source code.

It’s worth noting that another expert in area, Geoffrey Huntley, has also done a teardown of the app and has created a discord server as well as a 50-page document regarding COVIDSafe that is free for anyone to join and read, respectively.

Robbins went on to make some good points about digital literacy in 2020. He voiced concerns over people worrying so much about this app while also potentially downloading other apps and games that require access to far more personal data.

Of course, data privacy isn’t a zero sum game. While instances like the Cambridge Analytica scandal reminded us why auditing our app permissions regularly is important, people’s concern over government access is still understandable – particularly when you take the issues around My Health Record, RoboDebt and our data retention and anti-encryption laws into account.

It’s also worth noting it is very early days for analysis of the code, and the government has not as yet released source code for the developer community to explore.

But this doesn’t mean it’s all good

While these tear downs have confirmed much of what the government has said around how the app works, other experts in field still have some security concerns. For one, they are reporting that not all of the data transmitted or stored by COVIDSafe is actually encrypted.

In a real world context, this means that someone could theoretically be able to identify a person by the phone model as this information is not encrypted. While this may not be such a big problem in crowds, it’s worth thinking about situations where you’re in the vicinity of someone for 15 minutes or more – which is the time the app needs to log another user.

Something like this does have the potential to be misused, particularly in abusive relationships.

Teague, along with Chris Culnane, Eleanor McMurtry and Robert Merkel have expanded on this issue in a blog on GitHub.

How Australia's COVIDSafe App Actually Works

The government released its coronavirus tracing app over the weekend, after weeks of questions around what tech it would use and how it would treat user privacy. While there is still some confusion, particularly in regards to iOS functionality, we do have some of the answers now.

Read more