40% of COVID-19 contact tracing apps lack basic protections

Guardsquare announced the release of a report which reassesses the levels of security protections and privacy risks of COVID-19 contact tracing apps. The report found that of the 95 mobile apps analyzed, 60% use the official API for secure exposure notifications. For the remaining 40% of the contact tracing apps, the majority of which gather GPS location data, security is paramount ‒ yet lags.

“It is always important to follow security best practices during the development of any application which handles sensitive user data, and that is even more true when that app is a vital tool in the worldwide fight against the pandemic.

Contact tracing apps gathering user location data and personally identifiable information are especially attractive targets for exploitation, further reinforcing the need for developers to implement essential security protections,” said Grant Goodes, Chief Scientist at Guardsquare.

Majority of apps lacked basic security protections

Contact tracing apps have been commissioned and distributed by governments around the world to track and notify individuals of exposure to COVID-19 so they can take appropriate action in order to prevent the spread of the virus.

Government-sponsored COVID-19 contact tracing Android mobile apps have been analyzed in June 2020, uncovering that the vast majority lacked even basic security protections. For this report, the original Android apps (with the exception of those no longer in use) were reanalyzed, new apps that have since emerged were added, and iOS mobile apps were included to derive insights into the two market-leading mobile operating systems.

Prevalent use of Exposure Notification API

In the updated analysis, it was found that use of the Exposure Notification API developed by Apple and Google is much more prevalent than in the June report. Notably, 62% of the Android apps and 58% of the iOS apps are using the API.

However, contact tracing apps not using the Exposure Notification API have applied either a minimal level of fundamental security protection techniques or no security protection techniques.

The research reveals that although progress has been made, security and privacy issues among contact tracing apps persist. In particular, the analysis found that apps using GPS, Bluetooth, or a combination of the two, to collect sensitive data are operating in a manner endangering the security and privacy of users.

Key findings of COVID-19 contact tracing apps

• 33% of iOS and 20% of Android apps had no protection
• 61% of iOS and 75% of Android apps had one or two security protections
• 6% of iOS and 5% of Android apps had three or four security protections
• 0% of iOS and Android apps had five or more security protections

According to the assessment, the apps based on the Exposure Notification API have minimal security concerns. Alternate routes to detecting exposure via proximity to infected individuals‒employing GPS, building custom Bluetooth proximity detection, or both‒raise significant security and privacy concerns.

Unprotected mobile applications that gather GPS data and require sensitive identity credentials risk exploitation and potentially flagrant violations of user data privacy.

“Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected,” Goodes said.

“To successfully combat the spread of COVID-19, contact tracing app security should be at the forefront for developers, public health authorities, and governments.”