The government has released the much-anticipated technical details of its coronavirus tracing app, COVIDSafe, but developers noticed an interesting state-sized omission from one part of the code ” Tasmania.
The Digital Transformation Agency (DTA), the government agency in charge of the app’s development, delivered on its promise to release COVIDSafe’s source code on May 9 after weeks of speculation.
The source code doesn’t offer too much extra information researchers didn’t already have but will serve to confirm exactly what’s in the code.
One particular piece of the source code relating to the states and territories of Australia is raising some eyebrows, however, thanks to a glaring omission.
It’s the attention to detail that really stands out pic.twitter.com/GOZeZktpMo
— Anthony B, oh god we’re all going to die (@swearyanthony) May 8, 2020
In a section of the code for iOS that’s apparently not utilised, it lists Australia’s states and territories but leaves off Tasmania. As some developers pointed out in the thread, it doesn’t actually affect the app’s features and whether it will work in the state but it’s just one reason highlighting the benefit of seeing an app’s source code.
Jim Mussared, part of a group of developers who have been digging into the app’s code, said the source code’s release also helped to compare it to Singapore’s TraceTogether app, which it was based on.
“Seeing the source code allows us to do a direct comparison to the Singapore [TraceTogether] code,” Mussared said to Gizmodo Australia over email.
“One very clear result of this is that there were zero functional changes to the iOS BLE backgrounding behaviour (CentralController.swift). We know that the Singapore team knew that background-to-background iPhone didn’t work, so any claims by the DTA that they ‘fixed it’ indicate that either they never actually tested [or] investigated it, or their testing methodology was flawed.”
He added that the source code, based on the recent 1.0.16 Android and 1.1 iOS versions, showed none of the flaws he disclosed to the DTA last week have been addressed.
[referenced url=”https://gizmodo.com.au/2020/05/covidsafe-bugs-ios-android-tracking-privacy/” thumb=”https://gizmodo.com.au/wp-content/uploads/2020/05/covidsafeimage-410×231.jpg” title=”COVIDSafe Still Has Bugs, According To Experts” excerpt=”There has been a lot of discussion surrounding the government’s coronavirus tracing app, COVIDSafe, but at the forefront has been issues of privacy and its ability to work properly on devices. With the federal government tying the easing of social restrictions to app downloads, developers have reverse engineered the app to find out what’s actually wrong with it. Here’s what they’ve found.”]
While the source code’s release is welcomed, cybersecurity researcher Associate Professor Vanessa Teague told Gizmodo Australia last week it’s the server code, held by Amazon Web Services, that is really the more important aspect right now.
“We already have the source code for the app from decompiling it, so the app code won’t tell us anything we don’t already know. It’s the server code that we need,” Professor Teague said in an email.
“Australia’s tech community could find, and help to fix, the bugs that are almost certainly present in the server code. There are numerous potential areas in which a mistake could undermine the security and privacy protections that millions of Australians are relying on.”
The DTA has refused to release the server’s source code citing security and integrity despite its own Digital Service Standard encouraging open source to “increase transparency” and “add benefits, from improvements by other developers”.
[referenced url=”https://gizmodo.com.au/2020/04/coronavirus-tracing-app-australia-source-code/” thumb=”https://gizmodo.com.au/wp-content/uploads/2019/10/mobilecharging-410×231.jpg” title=”Why Experts Want The Government To Release The Source Code Of Its Tracing App” excerpt=”The Australian government’s coronavirus tracing app is set to be released soon but it hasn’t been without its fair share of controversy due to privacy concerns and a lack of clarity over whether it will be mandatory. The latest concern is that the app’s technical details might not be fully revealed for scrutiny prior to its public release and data security experts are concerned about what that could mean.”]