Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/18/2020
11:10 AM
50%
50%

Most Contact-Tracing Apps Fail Basic Security

A survey of 17 Android applications for informing citizens if they had potential contact with a COVD-19-infected individual finds few have adopted code-hardening techniques.

Government agencies and private organizations that are developing contact-tracing applications to help citizens keep informed about their potential risk of infection have failed to provide adequate protections against compromise and hacking, mobile-application security firm Guardsquare stated in a report published on Thursday.

The company analyzed 17 Android applications, looking for six different types of security countermeasures that the company deems necessary to protect user privacy and prevent the data collected by the contact app from being used for unforeseen purposes. Only one of the applications included full encryption and obfuscation of sensitive data, according to the report.

Despite the need to quickly get contract-tracing capabilities into the hands of citizens, countries need to get privacy right, says Grant Goodes, chief scientist with Guardsquare.

"In the current day and age, with people's somewhat understandable mistrust of government, if you try to roll out something — for a legitimate purpose and a well-intentioned purpose — but you make a giant security mistake, as North Dakota's app did, you will destroy public trust," he says. "And you really only get one shot at these things."

Contact tracing is widely considered to be a necessary step for countries to take to continue to open up their economies while reducing the transmission of infectious diseases. Manual contact tracing — the only effective method in the past — requires a massive workforce. Before the epidemic, state, and local health departments employed fewer than 2,000 contact tracers, but anywhere between 100,000 and 300,000 may be necessary.

"Prompt identification, voluntary isolation or quarantine, and monitoring of a person diagnosed with COVID-19 and their contacts can effectively break the chain of disease transmission and prevent further spread of the virus," the US Center for Disease Control said in a policy statement. "Case investigation and contact tracing are core disease control measures that have been used by state and local health departments for decades to slow or stop the spread of infectious diseases."

Contact-tracing applications make the process more accurate and less labor-intensive but raise significant privacy concerns. One early adopter of contract tracing, China, uses a centralized system that has no significant protections for citizens' privacy, allowing police to check the status of people as they commute between various locations. The United Kingdom and France are also pursuing a centralized model, raising the specter of large databases of geolocation data on their citizens stored on government-owned servers.

Privacy advocates have argued that decentralized contact tracing is the only way to proceed. In May, Apple and Google launched a joint initiative to create a framework for opt-in privacy-preserving contact tracing that only stored location data on the device. Such distributed contact tracing is the preferred way among technologists to implement the technology, but people have not adopted such optional technology very quickly. In Germany, which launched its app this week, only 41% of people are likely to adopt the app, while 46% are not willing to use contact tracing, one survey found, according to the Wall Street Journal.

People are even less likely to adopt applications if security issues are found, says Guardsquare's Goodes. In May, Amnesty International found significant security weaknesses in the mandatory contact-tracing application in Qatar, issues that exposed more than 1 million people. Pro-privacy configuration service Jumbo analyzed the Care19 contact-tracing app developed by North Dakota and found that it fails to abide by its own privacy policy, sharing information on the user's location with geolocation-based advertising service FourSquare. In June, FourSquare allowed developers to disable the advertising ID that could be used to track users.

In its analysis, Guardsquare deemed six different forms of data protection to be necessary to protect a user's privacy on the applications. The code should have obfuscation to make reverse engineering more difficult, string encryption to protect sensitive code variables and names, asset encryption to prevent attackers from accessing parts of the program, and additional obfuscation to harden the software. In addition, the program should have checks to prevent running on a compromised device or in an emulator.

These measures do not even take into account how the application and the government behind the application handles the data. Yet, only a single application — of 17 — managed to have all the application-hardening measures in place, Guardsquare stated in its analysis. The five applications tested from the Americas all adopted three of the techniques, but none adopted the other three security measures. The applications created for the Middle Eastern market had the least amount of security measures, with only two of four applications even adopting a method of encryption or obfuscation.

"This form of voluntary contact tracing could be a far more gentle form of lockdown, if people trust it and it works right," says Goodes. "The problem is that we are just starting to get these apps out there and they are being rushed, without the proper security."

Making the applications private from the get-go is critical, adds Guardsquare's Goodes. "There are so many ways that this can go wrong," he says. "We have seen that every technology has a dark side, and the police have shown a willingness to use any technology to their benefit."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What's Anonymous Up to Now?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...