There has been a lot of discussion surrounding the government’s coronavirus tracing app, COVIDSafe, but at the forefront has been issues of privacy and its ability to work properly on devices. With the federal government tying the easing of social restrictions to app downloads, developers have reverse engineered the app to find out what’s actually wrong with it. Here’s what they’ve found.
Australia’s COVIDSafe app was released on April 26 as a way of automating the contact tracing procedures health authorities around the country have been doing for months. Contact tracing allows officials to identify potential streams of infection by tracking down everyone who’s been in contact with a known coronavirus case and getting them tested.
But with many of us having fallible memories on top of not knowing everyone we’ve been in contact with over a two-week period, it’s not always accurate. COVIDSafe attempts to plug this hole by capturing the unique IDs of other app users through the use of Bluetooth. It saves and encrypts this data for 21 days on your phone and in the event that someone you’ve come in contact with, your contact details ” name, age range, post code and phone number ” will be released to health authorities and you’ll be brought in for testing.
It sounds like a simple process but it’s anything but. While the app’s architecture was based on an existing tracing app, TraceTogether, made by the Singaporean government, the Digital Transformation Agency (DTA), the government agency behind the app, has taken many liberties with its development and developers have pointed out the rushed nature of its build has led to some crucial flaws.
One of the biggest question marks around the government's COVIDSafe app has been around iOS functionality - how it works, if it works, when it will be updated, etc. There's a lot of confusion around using the app on an iPhone, which is a problem when almost 54 per cent of the mobile-using population uses iOS. But now things might be a little clearer. During a COVIDSafe teardown and panel discussion earlier this week, some experts in field explained the difference between the Android and iOS implementations of COVIDSafe, and why iOS devices can't run it as effectively in the background.Read more
COVIDSafe privacy bugs
Jim Mussared is a part of a group of developers digging into the COVIDSafe app to reverse engineer its source code in the absence of the government’s promise to deliver it. According to a public document on the flaws found, some of the issues raised in the document include:
- Two flaws that lead to potential long-term (many day) tracking of devices.
- Another flaw provides long-term tracking as well as exposure of the user’s name, in some cases.
- One issue allows for permanent tracking of an iPhone even when the app is uninstalled.
The document outlined that the best way to deal with these bugs if you’re concerned is to switch off Bluetooth except for when you need to use the app ” i.e. when you’re in public.
Since the document’s first release on April 28, the app has received some updates. Mussared explained to Gizmodo Australia the updates were largely superficial and didn’t address the flaws he’d pointed out.
“The update to v1.0.15, and subsequently v1.0.16 a couple of hours later, addressed zero of my concerns,” Mussared said.
Cyber security researchers, like Dr Vanessa Teague, conclude some of these bugs are understandable due to the nature of building an app in response to a health crisis but the reluctance to communicate with the development community was not the best method of dealing with it.
“It seems rushed, which is fair enough because I’m sure they were rushed, but they need to be honest about that and fix the bugs,” Dr Teague said to Gizmodo Australia over email.
“There are numerous potential areas in which a mistake could undermine the security and privacy protections that millions of Australians are relying on.”
Developers and cybersecurity experts understand that bugs and flaws are a part of any app development but the issue is there’s no formal process in place to disclose the bugs to the DTA and the draft legislation provides no protection for white hat hackers to test its security.
“A new issue came up last night ” found by someone else, I just made a demonstration, and we had it confirmed by the Singapore team within an hour,” Mussared said.
“I still don’t have an official process to report issues to the Australian team.”
Gizmodo Australia contacted the DTA for comment to see if they had any plans to implement a bug disclosure program. It provided an email disclosures could be made to and confirmed the source code would be released in the coming days.
“The Government will also continue to welcome feedback on the app. The whole purpose of ensuring trust with the Australian community for people to use the app is built on transparency. With this in mind, the source code will be release in the coming days,” the DTA confirmed to Gizmodo Australia.
“As is standard practice with any app, bugs or issues can be reported via the app’s ‘Report an Issue’ functionality or by emailing [email protected]”
The Australian government's coronavirus tracing app is set to be released soon but it hasn't been without its fair share of controversy due to privacy concerns and a lack of clarity over whether it will be mandatory. The latest concern is that the app's technical details might not be fully revealed for scrutiny prior to its public release and data security experts are concerned about what that could mean.Read more
Is the COVIDSafe app safe?
While the app’s flaws might seem like a good excuse not to download it, Mussared doesn’t think its that clear cut. For many Australians with limited concerns about data privacy, it might not be a big issue ” it ultimately comes down to a personal decision.
“People for whom tracking is a risk or a concern should definitely think twice,” Mussared said.
“That said, for most people ” including myself, I still have it installed ” this won’t be an issue, but we all need to look out for the people for whom it is an issue.”
Dr Teague added it was more an issue for people in professions where data security was a crucial aspect for operating. For people working as journalists, survivors of domestic abuse and those living in Australia after escaping countries with authoritarian rules, it’s an aspect that needs to be considered.
“Different people have different privacy needs,” Dr Teague said.
“I wouldn’t say to anyone else that they should or shouldn’t download it. I would say that, if the privacy of your face-to-face connections is a concern for you, or if you are concerned about your physical presence being linked across different locations, then you need to look into the details and make your own decision.”
With the app being available for over a fortnight now, we’ll have to wait and see what changes are implemented by the government to address these concerns. Coronavirus will be in our lives for some time until a vaccine is created so you can expect the app will be too.
About 1.13 million people had downloaded the federal government's COVIDSafe app by 6am today, just 12 hours after its release last night, said Health Minister Greg Hunt. The government is hoping at least 40% of the population will make use of the app, designed to help reduce the spread of the coronavirus disease.Read more