Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Grant Goodes
Grant Goodes

COVID-19 Contact-Tracing Apps Signal Broader Mobile App Security Concerns

The rapid launch of contract-tracing apps to control COVID-19's spread opened the door to multiple security and privacy vulnerabilities.

The COVID-19 pandemic led to a rapid response to try to contain the virus' global spread. However, whenever speed is a factor, security and privacy often fall by the wayside. This is especially true with contact-tracing mobile apps, which have been available since spring 2020 yet still lack some of the most basic security protections.

Historically, centralized, government-run data-collection efforts have been abject failures, which seems surprising given the availability of vast computing resources. Even something as seemingly straightforward as government computerization of medical records has succeeded in only a small number of countries. Due to the urgency of the COVID-19 pandemic, governments had to consider noncentralized approaches to contact tracing to both react quickly and achieve the necessary high coverage.

Related Content:

What Can Your Connected Car Reveal About You?

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

In a sense, contact-tracing mobile apps are an example of a crowdsourced solution to a governance problem, and their success sets an important precedent. Mobile devices will no longer be seen as exclusively communication or leisure platforms. They'll also be considered whenever public health authorities and other government entities need to gather data from their entire population.

All this data collection should be done far more carefully and securely than it is today, or governments will risk losing their citizens' trust permanently.

The Role of Trust and Privacy in Contact Tracing
In a single word, trust is essential if contact-tracing apps are to succeed in their purpose, which is to provide a pervasive and accurate capability to warn individual citizens of potential exposure to the virus when going about their day-to-day activities. Distributed contact tracing via mobile apps (as opposed to centralized, manual contact tracing performed by humans) can be effective only if the majority of citizens install and use the apps.

For this to happen, individuals must believe that the app is safe to use and doesn't expose their personal information, either to the government or to malicious actors who might hack the app. The best way to avoid personal data exposure is for the contact-tracing app not to gather it in the first place.

In May 2020, Apple and Google jointly released the Exposure Notifications API to help governments and other groups build contact-tracing apps. The API's goal is to provide the core functionality for building apps that notify users of possible exposures while protecting user privacy and security. This was a game-changer for contact tracing using smart devices, and the companies hoped that the majority of the world's health authorities would adopt the API. Public health experts hoped the attention paid to privacy and security by design would result in a greater likelihood of public trust in this approach to combating the spread of COVID-19.

An analysis of 62 iOS and Android contact-tracing apps in December found that 60% used the API (62% of the Android apps and 58% of the iOS apps). In addition, they found significant security and privacy concerns in the 40% of apps that did not use the official Exposure Notifications API and instead took a do-it-yourself approach to security. Of greatest concern were the contact-tracing apps that used GPS geolocation data.

GPS and Security Concerns: Where Many Countries Went Wrong
The potential privacy implications of using GPS data are of great concern on their own; even worse, many of the apps that use GPS tracking also require people to share their phone number or passport details to use the app.

Some of the analyzed apps harvest device information, which is a clear overreach. Just an IP address and a time stamp are enough for a government to link a person to a device. Harvesting anything more is unnecessary and creates clear privacy risks.

Unfortunately, many examples of overly invasive and poorly secured contact-tracing apps have been found since last spring. These failures eroded public trust in these apps, which reduced the effectiveness of the entire public health response. The earliest apps were rushed to market with many flaws or (like one UK app) failed so badly that they were abandoned before release.

You only get one chance to make a good first impression. Jurisdictions that made multiple attempts to roll out contact-tracing apps most likely faced adoption issues due to the aforementioned lack of trust.

Collect Only Essential Data, and Make Your App Difficult to Compromise
A best practice is to collect only the data that is necessary for the app to function properly. In the case of contact-tracing applications, that means using the Exposure Notifications API instead of GPS data. Beyond that, applying basic security techniques can prevent attackers from gaining unauthorized access to data, tampering with code, creating fake applications, and more. Security incidents are a serious issue that can erode public trust.

Luckily, these issues are easily fixable if mobile app developers and security professionals prioritize security early in the development life cycle. It's important to empower developers with secure coding skills, take advantage of pen testing and other application security testing measures, and apply code hardening and runtime application self-protection before an application is published (and with each subsequent release). Prioritizing security as much as time-to-market can help prevent incidents, as well as protect both consumers and governments.

Grant Goodes, Chief Scientist at Guardsquare, is a leading expert in cybersecurity technology with uniquely broad and deep experience in all aspects of application security including code and data obfuscation/transformation, whitebox cryptography, static and dynamic code ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/15/2021 | 7:27:37 PM
Privacy concerns are real
Important topic, highlights real concerns. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.