Google and Apple’s much-awaited API update has arrived but experts believe it won’t solve the functionality issues plaguing Australia’s contact tracing app, COVIDSafe, without some serious changes.
COVIDSafe was launched by the Digital Transformation Agency (DTA) on April 26 and works by enabling Bluetooth ‘handshakes’ between devices with the app to record who you’re in contact with over a 21-day period. If one of those contacts then test positive for the virus, it informs anyone who had been within range of them during that period.
But despite being touted as the key to getting Australia on track to recovery from the coronavirus crisis, users — particularly ones with iPhones — have had trouble getting it to work properly.
Apple and Google announced they were working on a solution before COVIDSafe’s release
Just two weeks prior to COVIDSafe’s release, Apple and Google had announced they were teaming up to work on solving some functionality and security issues regarding the incoming wave of contact tracing app developments.
In layman’s terms, Android and iOS devices had different security arrangements relating to Bluetooth functionality on third-party apps, which meant developers would have a hard time creating a contact tracing app for both operating systems. Google and Apple decided to work together on an API update that would solve most of these difficulties and Apple’s recent iOS 13.5 update now includes the promised feature — the Exposure Notification Framework.
Associate Professor Vanessa Teague, a cybersecurity expert working with a group of researchers and developers to expose any flaws in the app, said the feature would be tough to integrate into the app.
Unlike the government’s centralised system for gathering COVIDSafe data and storing it on an Amazon server, Apple and Google’s API approach prefers a decentralised system that makes each phone its own data server.
“Rather than uploading your contacts to a central health authority like COVIDSafe does, the app on your phone reads a list of pings from people who have tested positive and notifies you directly without the information passing through a central authority,” Professor Teague said in an email to Gizmodo Australia.
Jim Mussared is a developer who’s been working with Professor Teague and other researchers to uncover the app’s flaws. He believes COVIDSafe’s migration to Apple and Google’s decentralised approach is the most sensible thing the DTA could do with the app.
“It would address all the issues I’ve raised so far, and from a technical point of view it is not just the sensible thing to do right now, it was the right thing to do six weeks ago,” Mussared said to Gizmodo Australia.
“The Apple/Google Exposure Notification API is designed for this specific purpose, by people who know these platforms inside out, and with privacy as the primary goal. From a technical perspective, it is a vastly superior design.”
The government is considering Apple and Google’s solution
Given the Exposure Notification Framework works at odds with how COVIDSafe was setup, it’s not exactly clear how the two could work together.
“[The DTA] has made a specific decision to go with a centralised information flow, and the new Apple/Google API doesn’t help with that at all,” Dr Teague said.
Gizmodo Australia asked the DTA about its plans regarding the new API and it confirmed it was working with the companies to see how it could be applied to COVIDSafe.
“The DTA and the Department of Health have been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia,” a DTA spokesperson told Gizmodo Australia in a statement, adding that the “testing is ongoing”.
The DTA’s CEO Randall Brugeaud told a Senate committee in early May the agency was aware of the app’s functionality flaws on iOS devices.
“What we can say is the quality of the Bluetooth connectivity for phones that have the app installed running in the foreground is very good,” Brugeaud said to the Senate committee.
“It progressively deteriorates and the quality of the connection is not as good as you get to a point where the phone is locked in the app is running in the background.”
Brugeaud confirmed the issue was “highly variable” depending on devices and that it would be one of the first countries to adopt Apple and Google’s updates.
The API update turns the COVIDSafe app on its head
The issue is if the DTA did decide to incorporate Apple and Google’s framework, which could fix many of those known issues, it could unravel COVIDSafe’s whole premise in the first place. Swapping from a centralised approach to a decentralised one, Professor Teague explained, would completely change how the app was built.
“The surface appearance [of COVIDSafe] might not change much, but everything about the information flow would be different,” Professor Teague said.
“If they’re willing to change [to Apple and Google’s approach], then the change will need to be a fundamental overhaul.”
It’s not just the app that is tied up into this centralised system — it’s explicitly written into the legislation, which passed parliament in mid-May.
How migrating to a decentralised approach will affect the legislation remains to be seen but it’s expected many of references to the central Amazon server it uses, the national COVIDSafe data store, would effectively become redundant.
Of course, the DTA could just reject Apple and Google’s update completely and find a fix for the issues without resorting to a complete overhaul. Whether that ends up being its choice is something we’ll have to wait and see.
While switching to Google and Apple’s framework for contact tracing might be a short-term embarrassment for COVIDSafe advocates within the government, experts say it’s a win in the long-term and surely, that’s what’s most important here.