NEW REPORT: Security still a major concern for many COVID-19 contact tracing apps

Contact tracing apps have given citizens around the globe a way to help protect themselves and their families from COVID-19 by notifying people when someone they have been in close proximity to tests positive for the virus. These apps, largely introduced by national or regional governments, have proliferated significantly over the last year. 

However, as we discovered in our first COVID-19 Contract Tracing App Security Report released in June, the lack of security within many of these apps leaves their code and their users’ data unprotected.

We recently revisited our research, this time analyzing the security protections of a larger group of 95 COVID-19 contact tracing apps, since many new ones have been introduced over the last several months. Of the apps we studied, 14 Android apps were included in our original analysis shared in June (three of the original 17 are no longer available). 

To ensure our analysis has global relevance, we’ve included apps from around the world. Additionally, within the U.S., our sample included 13 states’ apps and two U.S. territories’ apps.

Here’s an overview of what we uncovered.

The introduction of the official Google & Apple API

Contact tracing apps are a vital tool in the global response to COVID-19, but will only be effective if users trust them. Without the proper security measures, apps are vulnerable to privacy issues, including exposing users’ sensitive health-related and other personal data. 

Many of the apps we examined for this report (60%) are built on the official API that Google and Apple teamed up to release this past spring. This is promising, as this API limits the collection of private data by design. With this knowledge, we focused further examination on the 40% of apps that do not use the official API. 

Without the API’s well-designed and secure Bluetooth contact tracing mechanism—which detects proximity to infected individuals—the most widely used options for checking relative location are GPS, custom Bluetooth detection, or a combination of the two. 

GPS data is a particularly concerning type to collect, especially if the app is not well-secured. Additionally, several of the apps using GPS tracking also require users to share personal details like passport number, phone number, device ID and more. Some of these apps even store the data in a plain SQLite database or leak them in the HTTP cache, which means they are effectively unencrypted. 

The privacy concerns raised by these apps’ insecure design can call public trust in the apps into question and limit the utility of the apps for combatting the pandemic. 

What a well-secured mobile app looks like

If an app is not using the official Google/Apple API, it needs to be very well secured. This is why we took a look at six code hardening techniques that should be applied to mobile applications to properly secure data. 

These techniques include:

• String encryption: Encrypts sensitive information included in the source code.
• Name obfuscation: Hides identifiers in the application’s code to prevent hackers from reverse engineering and analyzing source code.
• Data-at-rest encryption: Encrypts data to prevent hackers from accessing it. 
• RASP (root/jailbreak and/or emulator detection):
  • Root detection: For Android apps, monitors the environment in which applications are running and prevents them from being executed on rooted devices.
  • Jailbreak detection: For iOS, monitors the environment in which applications are running and prevents them from being executed on jailbroken devices. 
  • Emulator detection: Prevents applications from being executed on virtual devices.
• SSL pinning: The process of associating a host with its certificate or public key.
• App attestation: Establishes app integrity by ensuring that connections to the server are coming from legitimate instances of the app.