COVIDSafe Isn’t Tracking You (But You Do Need to Turn on Location Settings)

COVIDSafe Isn’t Tracking You (But You Do Need to Turn on Location Settings)
Image: Department of Health

A COVIDSafe update for Android devices has meant users now need to switch on location settings in for the app to function properly. Despite confusion and concerns over privacy, independent developers maintain the app is not tracking your location.

The issue, which only affects Android devices, was introduced with version 1.0.39 released back in July.

The update was released to address a problem on Android devices noticed by software developer Jim Mussared. When two users had their location settings switched off, their COVIDSafe apps would not log a ‘handshake’.

“COVIDSafe operates in two roles — simultaneously scanning for other phones and also advertising to other phones,” Mussared told Gizmodo Australia over email.

“If location is unavailable to the app, then it no longer scans, but can be detected by other phones. However, the app didn’t use to understand the difference between the location permission and the location enabled setting, leading to a confusing situation where if the global location enabled setting is turned off, COVIDSafe looks like it’s working perfectly, when it isn’t scanning.”

Once version 1.0.39 was introduced, users were notified that location services were needed but this also caused the confusing messaging still present in the app.

The app’s support team acknowledged the confusion on July 24 and said it had been added to a backlog it was working through.

Location settings confusion happening after COVIDSafe update

While this messaging was introduced in July, it’s only in recent weeks that users have noticed it after a subsequent update enabled auto-updating to the most recent version.

Now, many who had outdated versions for weeks or months are being confronted with a screen that states the app won’t work without location settings switched on.

“I’ve had no issues before. After the recent update, however, it now requires me to have location turned on for my phone (previously the app needed permission to access location, but didn’t need it turned on),” one reviewer wrote on the app’s Google Play Store page on August 9.

“I don’t want to turn location on, so I sort of wish I hadn’t updated it now, as I’m now reluctant to do everything required to make it work.”

Dr Vanessa Teague, a cybersecurity researcher who has been logging the app’s various issues since its release, pointed out that despite the confusing messaging, the app was still “half-working” when location settings were switched off.

Dr Teague explained on Twitter that if you’ve granted the app location permissions but your phone’s location settings are turned off, two conflicting messages appear — COVIDSafe is both active and not active.

If location settings are switched off but the app has been granted permission to use them, Dr Teague said that device would not be able to scan contacts but it would be logged as a contact in another device. The exception remains when both Android devices have location services disabled, resulting in no ‘handshake’ being exchanged.

Due to how Androids are designed, location settings need to be switched on in order for a device to conduct a Bluetooth scan. Without that functionality, the COVIDSafe app is unable to log other contacts.

The important part to remember here is that location data is not being recorded by the app — that’s protected in the legislation.

Gizmodo Australia has contacted the DTA, the app’s creators, to understand whether it’s working on clearing up the confusion caused by the app’s messaging.