How Australia’s COVIDSafe App Actually Works

How Australia’s COVIDSafe App Actually Works
Image: Getty

The government released its coronavirus tracing app over the weekend, after weeks of questions around what tech it would use and how it would treat user privacy. While there is still some confusion, particularly in regards to iOS functionality, we do have some of the answers now.

How To Use COVIDSafe

COVIDSafe can be downloaded from Google Play or the App Store. In order to use it you have to provide your name, mobile number, postcode and age range.

Bluetooth must be enabled for the app to work.

When COVIDSafe is running it utilises Bluetooth to send the equivalent of a digital handshake between two devices. This happens if two individuals running the app come within 1.5 metres of each other for at least 15 minutes.

How private is it?

When this happens your device will log an ‘encrypted reference code’ of this user. This basically means it will take note of the person’s app registration details via an encrypted code.

The encrypted data is stored on a user’s device for a rolling period of 21 days to allow for COVID 19’s long incubation period, as well as time for someone to receive a positive test result. Once that time expires the information will be deleted.

If a user receives a positive COVID-19 result they can consent to upload the encrypted data stored on their device to a cloud-based data store than can only be access by health officials.

If a user is diagnosed with COVID-19 during this 21-day window, they are able to consent to upload the encrypted data so the people they have come into contact with during that time can be alerted. This information will not be uploaded unless the users agrees to it and enters a PIN that will be sent to their phones.

If a user’s data has been uploaded, it can also be deleted (either by themselves or by a confirmed case who has come into contact with them) via a Health web request form.

From a legal standpoint, Minister for Health Greg Hunt has issued a Determination under Australia’s Biosecurity Act to protect privacy and restrict access of COVIDSafe data to health officials for contract tracing purposes only.

According to the website, it will be criminal offence to use the app information for any other purpose and other agencies, including law enforcement, will not be able to access this information unless they are investigating misuse of the information itself.

This will become legislation in May.

But not everyone is convinced by the government’s claims of encryption. A joint GitHub blog post by cyber security experts Chris Culnane, Eleanor McMurtry, Robert Merkel and Vanessa Teague claims that not all data stored and shared by COVIDSafe is encrypted.

According to their source code findings, the app “shares the phone’s exact model in plaintext with other users, who store it alongside the corresponding Unique ID.”

The writers use the following as an example of how this information could be misused:

“The exact phone model of a person’s contacts could be extremely revealing information. Suppose for example that a person wishes to understand whether another person whose phone they have access to has visited some particular mutual acquaintance. The controlling person could read the (plaintext) logs of COVIDSafe and detect whether the phone models matched their hypothesis. This becomes even easier if there are multiple people at the same meeting. This sort of group re-identification could be possible in any situation in which one person had control over another’s phone. Although not very useful for suggesting a particular identity, it would be very valuable in confirming or refuting a theory of having met with a particular person.”

This essentially means that someone could identify a person by the make and model of their phone by reading the plaintext logs saved by the app because this information is not in fact encrypted. This could be a particular issue for people in abusive relationships.

How COVIDSafe Works On Android

COVIDSafe works on Android while running in the background of the device ” it just needs to be open. According to the app’s website, “COVIDSafe works best when it is open and running, which means you can use your phone as normal without having to open or check COVIDSafe.”

Android users will know the app is working if they see a sticky notification in the device’s notification panel.

For Android, you need Android 6.0 (Marshmallow) or higher.

How COVIDSafe Works On iOS

The FAQ language regarding how the app works on iOS has changed since the website first launched. Originally it stated “COVIDSafe app needs to be open to work effectively. Keep the app open and notifications on when you’re out and about, especially in meetings and public places. Activate the in-app power saver mode (flip your unlocked device upside down or face down while the app is running). This keeps the app with a dimmed screen so that it can detect other devices running the COVIDSafe app.”

This caused some confusion on social media as to whether this means that the app must be actively on-screen on an iOS device to work. It also raised questions around how much power the app would drain.

Since then the site has been updated to read: “Keep COVIDSafe running and notifications on when you’re out and about, especially in meetings and public places.”

Gizmodo Australia has reached out to Apple about this issue, as well as for clarification around whether Bluetooth hardware, such as an Apple Watch or AirPods, could interfere with the app if used simultaneously. Gizmodo Australia has also reached out to minister Robert’s office.

Despite the confusion, Minister for Health Greg Hunt has said that unlike the Singapore’s app, which COVIDSafe was based off, our app shouldn’t have issues with other apps running. He also confirmed that COVIDSafe will benefit from some of the updates and upgrades that Apple is working on with Google for their joint approach to contact tracing.

“Daniel and his colleagues have been able to work to ensure that that’s not an issue in Australia. But where there are, like every app, additional strengths- strengthening’s which are developed to be able to improve the capacity with signal strength. We know that Apple, around the world, is working on that and we will provide those upgrades and updates as well,” said Hunt in a briefing.

A spokesperson for the Minister of Government Services Stuart Robert also confirmed the Australian government will be looking at working with Apple and Google.

“The Government will work with Google and Apple to investigate whether the new functionality announced by Google and Apple partnership is beneficial for the app performance,” they said in a statement.

What we do know is that if the app hasn’t been working on your iOS device for at least 24-hours the user will receive a notification with troubleshooting instructions.

To use COVIDSafe on an iOS device you need iOS 10 or higher.

How COIVDSafe Works On Other Operating Systems

COVIDSafe doesn’t currently work on other operating systems – this seems to include Android Go and Harmony OS. Huawei devices that don’t have access to Google Play, such as the Mate 30 and P40, will not be able to use the app at the present time.

Is COVIDSafe Opensource?

Last week, the Minister for Government Services Stuart Robert confirmed to Gizmodo Australia the source code for the app will be released.

At the present time the source code is still not available, but the government has said its release will be subject to consultation with the Australian Signals Directorate’s Australian Cyber Security Centre.

Cybercrime expert Professor Richard Buckland and Information Sciences expert Professor Katina Michael have both voiced some concern over the lack of transparency with the source code. One reason for doing this could be to to hide issues with the app that may have arisen due to a rushed development. Releasing it would help dispel this idea as well as answer some of the privacy questions people have about the app.

However, the lack of source code has not stopped some devs from using opensource tools to dig into the guts of the app.

Mobile app developer expert Matthew Robbins wrote a thread on Twitter regarding his findings. A lot of what he found in the code lined up with what the government and the app’s website has said about privacy – including the manual uploading of data and cleanup of data after 21 days. He concluded that he was largely happy with COVIDSafe.

Geoffrey Huntley is also providing teardowns of the app via a 50-page Google doc that is accessible for anyone to read.