New Tool Reveals Security and Privacy Issues with Contact Tracing Apps

Researchers have developed a tool to identify security and privacy risks associated with COVID-19 contact tracing apps.

COVIDGuardian, the first automated security and privacy assessment tool, tests contact tracing apps for potential threats such as malware, embedded trackers and private information leakage.

Using the COVIDGuardian tool, cybersecurity experts assessed 40 COVID-19 contact tracing apps that have been employed worldwide for potential privacy and security threats. Their findings include that:

  • 72.5 per cent of the apps use at least one insecure cryptographic algorithm.
  • Three quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
  • Whilst most apps were free of malware, the Kyrgyzstan app Stop COVID-19 KG was discovered to have malware.

Following their analysis, the researchers released the results to vendors. Further testing later found that privacy and security weaknesses on four apps had been fixed, and one vulnerable app was found to no longer be available.

Dr Gareth Tyson, Senior Lecturer at Queen Mary University of London, said: "With the pandemic there was a rapid need for contact tracing apps to support efforts to control the spread of COVID-19. Unsurprisingly we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks relate to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers."

"Our work is helping developers to address these problems. Through COVIDGuardian we've produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained."

To support this work the researchers also performed a survey involving over 370 individuals to understand the likelihood that they would use a contact tracing app and highlight concerns around their use. The results suggested that the privacy and accuracy of contact tracing apps had the biggest impact on whether individuals would use the app.

As part of the survey, volunteers were also asked about their preferences with regards to decentralised and centralised apps. Dr Tyson, said: "Security and privacy concerns have been a big issue affecting the uptake of these apps. We were surprised that the debate around decentralised vs centralised apps didn't seem so important and, instead, users were more focused on the exact details of what private information is collected. This should encourage developers to offer stronger privacy guarantees for their apps."

Ruoxi Sun, Wei Wang, Minhui Xue, Gareth Tyson, Seyit Camtepez, Damith C. Ranasinghe.
An Empirical Assessment of Global COVID-19 Contact Tracing Applications.

The paper will be presented at the International Conference on Software Engineering on May 23-29 2021. A copy of the paper is available at: https://arxiv.org/abs/2006.10933.

Most Popular Now

Early Warning System for Intensive Care …

Life-threatening situations occur time and again in an intensive care unit. To make sure that doctors can intervene in time, a team at the German Heart Center Berlin (DHZB) has...

Virtual Reality could Help to Reduce Pai…

We all feel physical pain in different ways, but people with nerve injuries often have a dysfunctional pain suppression system, making them particularly prone to discomfort. Now researchers have uncovered that...

Philips Partners with Orbita to Develop …

Royal Philips (NYSE: PHG, AEX: PHIA), a global leader in health technology, and Orbita Inc., an innovative provider of conversational artificial intelligence (AI) solutions for healthcare, announced a partnership agreement...

CliniSys Group Creates Single Brand for …

CliniSys Group has created a single brand for its businesses in the UK and Europe, with a refreshed logo and a new website. The move creates a unified identity for CliniSys...

East Lancashire Signs Deal for Early War…

Thousands of NHS professionals across five hospitals in East Lancashire are to benefit from early warning technology that will help them detect and swiftly respond to deteriorating patients in need...

FDA Grants Oxehealth Vital Signs De Novo…

Oxehealth has announced another world first after the US Food and Drug Administration granted a De Novo clearance for its Oxehealth Vital Signs product, which is incorporated into Oxevision, the...

Telemedicine Improves Access to High-Qua…

The American Academy of Sleep Medicine recently published an update on the use of telemedicine for the diagnosis and treatment of sleep disorders to reflect lessons learned from the transition...

DMEA 2021: Digital Health. 100 % Virtual…

7 - 11 June 2021, Berlin, Germany. An entire week dominated by digital healthcare! With that in mind, early in June DMEA 2021 will be kicking off with a wide range...

Philips and NHS Implement the First Regi…

Royal Philips (NYSE: PHG, AEX: PHIA), announced it has supported the NHS' Cheshire and Merseyside consortium [1] to become the first regional hub supplying the United Kingdom's National COVID-19 Chest...

Child Brain Tumours can be Classified by…

Diffusion weighted imaging and machine learning can successfully classify the diagnosis and characteristics of common types of paediatric brain tumours a UK-based multi-centre study, including WMG at the University of...

AI could Crack the Language of Cancer an…

Powerful algorithms used by Netflix, Amazon and Facebook can 'predict' the biological language of cancer and neurodegenerative diseases like Alzheimer's, scientists have found.