COVIDsafe, Australia’s coronavirus contact tracing app, has just just gotten an update which addresses some bugs and privacy concerns. The update will also help with some of the background bluetooth problems that iOS devices have suffered with the app so far.
Information regarding the updates on both the App Store and Google Play are vague, simply stating:
- Push notifications are now optional
- Improvements to Bluetooth security and connectivity
- Accessibility enhancements
- Bug fixes
Gizmodo Australia has reached out to the Digital Transformation Agency (DTA) for specifics and clarification around the bug fixes.
But we do know what some of them are thanks to developers who have done teardowns and dug through the recently released source code.
Two of the key bug fixes involve the temporary ID change that had not been working properly on devices. A temporary ID that is attached to the phone for privacy reasons was supposed to to change every two hours, but it wasn’t. This meant that it was much easier for a phone to be identifiable.
This issue had been identified and reported by Jim Mussared, any Australian developer who has been working to identify and report flaws and bugs in COVIDSafe. Thankfully, this particular privacy issue has now been fixed.
“The simplest summary is that COVIDSafe is no longer a beacon advertising two different fixed ID that identifies your phone long-term. It’s no longer quite so trivial to build a scanner that can say ‘that’s the same phone I saw yesterday,'” said Mussared in a Twitter message to Gizmodo Australia.
For people running #covidsafe: Make sure you install today's update (v1.0.17 for Android). It contains two fixes, addressing two of the long-term tracking issues I raised. There's still a way to go, but, progress!
There's also fixes in the Android app that help the iPhone app.
— Jim Mussared (@jim_mussared) May 14, 2020
The update will also benefit those running COVIDSafe on iOS.
One of the core issues on iPhones devices is that COVIDsafe can have issues running in the background. While this hasn’t been fully sold yet, the Android update will help somewhat.
“iPhones do a bunch of sensible things to prevent apps doing what COVIDSafe does,” said Mussared.
“One of those things is that when backgrounded, the way the beacons are generated changes. Another phone needs to see those beacons in order to connect and do the data exchange. Previously the Android app could only detect the foreground-mode beacons, so today’s fix makes it detect the background-mode ones too.”
This means that Android apps will now be able to detect the COVIDSafe beacon on iOS devices even when another app is open or if the phone is locked.
While this is a good start, there are still some broadcasting issues that Mussared and other developers have identified.
“These allow access to the device model (“Samsung Galaxy G8”) and device name, if set (“Jim’s Pixel 2″). Obviously this isn’t as serious as [the issues that have been fixed], because the phone model name isn’t as unique, but it’s still fairly unique in many situations,” said Mussared to Gizmodo Australia.
If you’re concerned about these details still being broadcast it may be worth removing your device name, if you have one set. Alternatively, set it to something generic such as the device model.
Australia's COVIDSafe app has been out for three weeks now but despite the government's draft legislation stating the data cannot be accessed outside of coronavirus tracing purposes, some of its vague wording is causing legal experts concern over potential misuse.Read more
Another issue that the update has addressed is the ability for bad actors to unleash a Denial of Service attack (an actual real one) that disabled COVIDSafe on all iPhones in the general area.
Australian developer Richard Nelson posted a demonstration of how the attack worked on Twitter on Thursday:
Today’s COVIDSafe update fixes a security flaw I reported, which allows an attacker to disable the app for all iPhones in the vicinity. App has to be out of range of attack and manually opened to record contacts again.
You should still use it.???? pic.twitter.com/5LR32ft7RF
— Richard Nelson (@wabzqem) May 14, 2020
“With the right knowledge of the issue, it’s pretty trivial to execute… My video has it running on my laptop with a Bluetooth adaptor, which was very easy for me to execute,” said Nelson in a Twitter message to Gizmodo Australia.
According to a blog post by Nelson, the DTA were quick to acknowledge and provide a fix for the security flaw once he reported it.
Here’s to hoping that other serious bugs and fixes reported by developers working pro bono will be treated with similar seriousness and urgency. Since the app was released three weeks ago the developer community has been vocal about having issues reporting COVIDSafe bugs and flaws to the government.
The government has now released the source code of its contact tracing app, COVIDSafe, but a developer has noted he's hitting brick walls when it comes to reporting any bugs or flaws with the app.Read more