Australia’s COVIDSafe tracing app is one of the best and safest apps of its kind in the world, according to University of Adelaide cybersecurity experts who have been exploring the vulnerabilities of people-tracing apps.
A team from the University of Adelaide’s School of Computer Science has made the claim after assessing 34 of the world’s COVID-19 contact tracing apps for security and privacy vulnerabilities.
The team studied Android device tracing apps that have had more than 10,000 downloads each in different countries, as well as apps recommended by official authorities.
The results of the study can be found here: https://arxiv.org/abs/2006.10933
Associate Professor Damith Ranasinghe from the University of Adelaide’s School of Computer Science says most COVID-19 contact tracing apps are vulnerable to malicious attacks, contain trackers and could, if hacked, create false data about the incidence of cases.
“Australia’s COVIDSafe app is currently well designed. Since its release on 14 April 2020, developers across the nation have continually improved its security,” Associate Professor Ranasinghe says.
“Everyone in Australia should be using the COVIDSafe app, in our opinion. It’s one of the best of its kind anywhere in the world today.
“While COVIDSafe is one of the safest, if not the safest tracing app, not all tracing apps are as good.
“About 70% of the apps in our sample pose potential security risks. This is because either their cryptographic algorithms used for securing data are insecure, or not best practice, or because they store sensitive information in clear text that could be potentially read by attackers.
“Over 60% of the apps posed vulnerabilities through manifest weaknesses such as allowing permissions for backups to be made, which could allow unencrypted data to be copied.
“We identified that approximately 75% of the apps contain at least one tracker, such as Google or Facebook trackers, these trackers collect information about people’s activities on their mobile devices. This private information could be given to third parties.
“It is possible to carry out a so-called replay attack, in which a malicious user can replay valid identifiers to redirect all the traffic from one place to another to virtually or digitally alter the footprint of the contact. This could result in the targeted area being incorrectly locked-down due to false information.”
Contact tracing apps operate by recording prolonged and close proximity interactions between individuals by using proximity sensing methods such as Bluetooth. The apps speed up the process of finding people who have been in close contact with someone infected with COVID-19. An app can only catch interactions between people who have installed it, so public buy-in is key to the app’s effectiveness.
“As part of our assessment of the vulnerabilities of apps currently being used, we identified a potential malicious attack scenario and proposed an idea to mitigate such a risk,” says Dr Jason Xue, from the University of Adelaide’s School of Computer Science.
“We informed all the app developers and related stakeholders on 23 May 2020 about the vulnerabilities so that they have the opportunity to update the apps.
"We recently re-checked all of these apps and found that all potential privacy leakage on three apps – TraceTogether (Singapore), BlueZone (Vietnam), STOP COVID19 CAT (Spain) – has been fixed. Additionally, all the trackers of the app, Mysejahtera (Malaysia), have been removed and the vulnerable app, Contact Tracer (USA), is no longer available in Google Play Store.
“In the latest version of COVID Safe, developers have encrypted its local database which is stored in the phone, so that even if data is breached, the attacker will not be able to decrypt the data.
“A further improvement we have suggested is to detect the so-called rooting of a device in which a malicious actor tries to evade the protections provided to the app from the operating system of your mobile phone.
“Our study can provide useful insights for governments, developers and researchers in the software industry to develop secure and privacy-preserving contact tracing apps. We hope the results and the proposed contact tracing approach will contribute to increasing the trustworthiness of solutions to respond to infectious diseases now and in the future.
“As our next step, we are planning to examine any vulnerabilities associated with iOS apps.”
The University of Adelaide is a leader in cybersecurity education and research, and has a strategic industry focus on defence, cyber and space.##