Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Grant Goodes
Grant Goodes

COVID-19 Contact-Tracing Apps Signal Broader Mobile App Security Concerns

The rapid launch of contract-tracing apps to control COVID-19's spread opened the door to multiple security and privacy vulnerabilities.

The COVID-19 pandemic led to a rapid response to try to contain the virus' global spread. However, whenever speed is a factor, security and privacy often fall by the wayside. This is especially true with contact-tracing mobile apps, which have been available since spring 2020 yet still lack some of the most basic security protections.

Historically, centralized, government-run data-collection efforts have been abject failures, which seems surprising given the availability of vast computing resources. Even something as seemingly straightforward as government computerization of medical records has succeeded in only a small number of countries. Due to the urgency of the COVID-19 pandemic, governments had to consider noncentralized approaches to contact tracing to both react quickly and achieve the necessary high coverage.

Related Content:

What Can Your Connected Car Reveal About You?

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

In a sense, contact-tracing mobile apps are an example of a crowdsourced solution to a governance problem, and their success sets an important precedent. Mobile devices will no longer be seen as exclusively communication or leisure platforms. They'll also be considered whenever public health authorities and other government entities need to gather data from their entire population.

All this data collection should be done far more carefully and securely than it is today, or governments will risk losing their citizens' trust permanently.

The Role of Trust and Privacy in Contact Tracing
In a single word, trust is essential if contact-tracing apps are to succeed in their purpose, which is to provide a pervasive and accurate capability to warn individual citizens of potential exposure to the virus when going about their day-to-day activities. Distributed contact tracing via mobile apps (as opposed to centralized, manual contact tracing performed by humans) can be effective only if the majority of citizens install and use the apps.

For this to happen, individuals must believe that the app is safe to use and doesn't expose their personal information, either to the government or to malicious actors who might hack the app. The best way to avoid personal data exposure is for the contact-tracing app not to gather it in the first place.

In May 2020, Apple and Google jointly released the Exposure Notifications API to help governments and other groups build contact-tracing apps. The API's goal is to provide the core functionality for building apps that notify users of possible exposures while protecting user privacy and security. This was a game-changer for contact tracing using smart devices, and the companies hoped that the majority of the world's health authorities would adopt the API. Public health experts hoped the attention paid to privacy and security by design would result in a greater likelihood of public trust in this approach to combating the spread of COVID-19.

An analysis of 62 iOS and Android contact-tracing apps in December found that 60% used the API (62% of the Android apps and 58% of the iOS apps). In addition, they found significant security and privacy concerns in the 40% of apps that did not use the official Exposure Notifications API and instead took a do-it-yourself approach to security. Of greatest concern were the contact-tracing apps that used GPS geolocation data.

GPS and Security Concerns: Where Many Countries Went Wrong
The potential privacy implications of using GPS data are of great concern on their own; even worse, many of the apps that use GPS tracking also require people to share their phone number or passport details to use the app.

Some of the analyzed apps harvest device information, which is a clear overreach. Just an IP address and a time stamp are enough for a government to link a person to a device. Harvesting anything more is unnecessary and creates clear privacy risks.

Unfortunately, many examples of overly invasive and poorly secured contact-tracing apps have been found since last spring. These failures eroded public trust in these apps, which reduced the effectiveness of the entire public health response. The earliest apps were rushed to market with many flaws or (like one UK app) failed so badly that they were abandoned before release.

You only get one chance to make a good first impression. Jurisdictions that made multiple attempts to roll out contact-tracing apps most likely faced adoption issues due to the aforementioned lack of trust.

Collect Only Essential Data, and Make Your App Difficult to Compromise
A best practice is to collect only the data that is necessary for the app to function properly. In the case of contact-tracing applications, that means using the Exposure Notifications API instead of GPS data. Beyond that, applying basic security techniques can prevent attackers from gaining unauthorized access to data, tampering with code, creating fake applications, and more. Security incidents are a serious issue that can erode public trust.

Luckily, these issues are easily fixable if mobile app developers and security professionals prioritize security early in the development life cycle. It's important to empower developers with secure coding skills, take advantage of pen testing and other application security testing measures, and apply code hardening and runtime application self-protection before an application is published (and with each subsequent release). Prioritizing security as much as time-to-market can help prevent incidents, as well as protect both consumers and governments.

Grant Goodes, Chief Scientist at Guardsquare, is a leading expert in cybersecurity technology with uniquely broad and deep experience in all aspects of application security including code and data obfuscation/transformation, whitebox cryptography, static and dynamic code ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/15/2021 | 7:27:37 PM
Privacy concerns are real
Important topic, highlights real concerns. 
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.