Reporting COVIDSafe’s Bugs Is Challenging, Developer Says

Reporting COVIDSafe’s Bugs Is Challenging, Developer Says
Image: Getty Images

The government has now released the source code of its contact tracing app, COVIDSafe, but a developer has noted he’s hitting brick walls when it comes to reporting any bugs or flaws with the app.

The Digital Transformation Agency (DTA) has released the source code for its COVIDSafe app as promised, which researchers are scouring for insights and flaws, including one awkward omission of Tasmania in an unused piece of code.

While Australia’s developers had already reverse-engineered the source code from the app for both iOS and Android, seeing the source code allowed them to pour over some of the finer details including a direct comparison between it and Singapore’s TraceTogether app.

COVIDSafe's Source Code Has Been Released

The government has released the much-anticipated technical details of its coronavirus tracing app, COVIDSafe, but developers noticed an interesting state-sized omission from one part of the code

Read more

Jim Mussared is one Australian developer who’s been working on uncovering the app’s flaws to ensure it’s doing what it’s meant to. For him, it’s made one thing particularly clear ” the DTA hasn’t been easy to work with when it comes to disclosing bugs.

“Seeing the source code allows us to do a direct comparison to the Singapore [TraceTogether] code,” Mussared said to Gizmodo Australia over email.

“One very clear result of this is that there were zero functional changes to the iOS BLE backgrounding behaviour (CentralController.swift). We know that the Singapore team knew that background-to-background iPhone didn’t work, so any claims by the DTA that they ‘fixed it’ indicate that either they never actually tested [or] investigated it, or their testing methodology was flawed.”

Mussared explained it wasn’t the only oversight the app’s source code had revealed but said communicating with the agency was proving difficult.

“There is still no commitment from the DTA to fixing any of the issues raised in my doc. However, they have promised that the next release will fix a different issue raised by someone else, so I don’t know what to make of that,” Mussared said.

“There’s no way to accept community contributions, the license is extremely unfriendly, and there [are] no plans for them to do any of the development in the open. There’s not even a commitment to do further updates.”

Last week, the DTA told Gizmodo Australia that anyone could report issues with the app via its ‘Report an Issue’ functionality or by emailing [email protected]

Mussared’s document, which we reported on last week, outlined a number of flaws including privacy bugs that led to many day tracking of devices as well as permanent tracking of an iPhone even if the app is deleted.

Mussared said the source code was based on 1.0.16 Android and 1.1 iOS versions of the app, which held the flaws found by him. He said he hasn’t received any indication whether the privacy issues will be fixed in any upcoming updates.

Gizmodo Australia has contacted the DTA to understand how its process works and if it’s working on fixing any of the flaws Mussared and the group of developers have pointed out.

“As continuously stated, the Government will continue to work with Apple and Google to look for any opportunities to enhance the performance of their Bluetooth functionality ” something that is not exclusive to the COVIDSafe app,” a DTA spokesperson said to Gizmodo Australia.

“The app performs better than many similar apps in other countries.”

It pointed to its news post about the source code’s release when asked what its process was in regards to any bug disclosures.

“While we may be unable to reply to every individual who provides feedback, please know that your feedback will be reviewed and triaged depending on its impact to security and usability,” the DTA’s news post read.

Some of the issues, Mussared said, could be fixed with a few simple tweaks considered best practice in the developer community. For starters, he believes there should be a separate email for priority security and privacy issues but a bug bounty program, similar to what many major companies like Google, Microsoft and Facebook offer, would help make the situation far more tenable.

Right now, Mussared has said he’s unsure if the flaws he’s pointed out are being worked or dismissed. A similar error with the coding in Canada’s ABTraceTogether app was uncovered and Mussared has been in contact with the development team over there who are working on fixes.

It’s this sort of communication and cooperation he expects to happen with Australia’s own app.

“The [DTA’s source code] repositories are read-only and the licence is extremely aggressive and unfriendly. The way this should work is that all the various OpenTrace variants should be forks of the upstream Singapore repository and fixes can be shared between them,” Mussared said.

“Additionally, they need to enable the issue tracker and have some process around how to accept pull requests. They might as well have just put a zip file on their website.”

It’s expected another update will be released this week but we’ll have to wait to see if it addresses any of the bugs pointed out by Mussared.

COVIDSafe Still Has Bugs, According To Experts

There has been a lot of discussion surrounding the government's coronavirus tracing app, COVIDSafe, but at the forefront has been issues of privacy and its ability to work properly on devices. With the federal government tying the easing of social restrictions to app downloads, developers have reverse engineered the app to find out what's actually wrong with it. Here's what they've found.

Read more