Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps

Analysis Finds 60% of Apps Use Secure Official API, Remaining 40% Still Lack Basic Protections

Leuven, Belgium – December 10, 2020 – Guardsquare, the mobile application security platform, today announced the release of the company’s second “Global Contact Tracing App Analysis,” which reassesses the levels of security protections and privacy risks of COVID-19 contact tracing apps. The report found that of the 95 mobile apps analyzed, 60% use the official application programming interface (API) for secure exposure notifications. For the remaining 40% of the contact tracing apps, the majority of which gather GPS location data, security is paramount ‒ yet lags.

“It is always important to follow security best practices during the development of any application which handles sensitive user data, and that is even more true when that app is a vital tool in the worldwide fight against the pandemic. Contact tracing apps gathering user location data and personally identifiable information are especially attractive targets for exploitation, further reinforcing the need for developers to implement essential security protections,” said Grant Goodes, Chief Scientist at Guardsquare. 

Contact tracing apps have been commissioned and distributed by governments around the world to track and notify individuals of exposure to COVID-19 so they can take appropriate action in order to prevent the spread of the virus. Guardsquare first analyzed government-sponsored COVID-19 contact tracing Android mobile apps in June 2020, uncovering that the vast majority lacked even basic security protections. For this report, Guardsquare reanalyzed the original Android apps (with the exception of those no longer in use), added new apps that have since emerged, and included iOS mobile apps to derive insights into the two market-leading mobile operating systems. 

In the updated analysis, Guardsquare found use of the Exposure Notification API developed by Apple and Google to be much more prevalent than in the June report. Notably, of the apps Guardsquare analyzed, 62% of the Android apps and 58% of the iOS apps are using the API. However, contact tracing apps not using the Exposure Notification API have applied either a minimal level of fundamental security protection techniques or no security protection techniques.

The research reveals that although progress has been made, security and privacy issues among contact tracing apps persist. In particular, the analysis found that apps using GPS, Bluetooth, or a combination of the two, to collect sensitive data are operating in a manner endangering the security and privacy of users. 

Key Findings of COVID-19 Contact Tracing Apps (Exposure Notification API Not Used): 

• 33% of iOS and 20% of Android apps had no protection
• 61% of iOS and 75% of Android apps had one or two security protections 
• 6% of iOS and 5% of Android apps had three or four security protections
• 0% of iOS and Android apps had five or more security protections

According to Guardsquare’s assessment, the apps based on the Exposure Notification API have minimal security concerns. Alternate routes to detecting exposure via proximity to infected individuals ‒ employing GPS, building custom Bluetooth proximity detection, or both ‒ raise significant security and privacy concerns. Unprotected mobile applications that gather GPS data and require sensitive identity credentials risk exploitation and potentially flagrant violations of user data privacy.

“Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected,” Goodes said. “To successfully combat the spread of COVID-19, contact tracing app security should be at the forefront for developers, public health authorities, and governments.”

Methodology:

In this report, Guardsquare analyzed 52 Android apps and 43 iOS apps based on six key features to determine which security protections apps are applying, or lacking, to safeguard code and user data. Researchers conducted analysis on contact tracing apps on Android and iOS mobile app platforms worldwide and across 13 U.S. states and 2 US territories.

For further information about mobile application protection and to download the contact tracing report, please visit: REPORT: Reassessing COVID-19 Contact Tracing Apps, Security and Privacy Risks Persist

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 650 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications hardening them against both on-device and off-device attacks. With the addition of ThreatCast, its mobile application security console, Guardsquare offers the most complete mobile security solution on the market today. Guardsquare is based in Leuven, Belgium with a US office in Boston, MA.

Contact
Erica Sheehan
VP of Marketing, Guardsquare
erica.sheehan@guardsquare.com