One year ago, the first COVID-19 contract tracing app was unveiled – the Google/Apple Exposure Notification (GAEN) system. Since then, 28 million people have downloaded various COVID-19 exposure apps onto their smartphones. These apps have aimed to help to slow down the spread of the virus, along with the vaccines that are now available. However, the apps have faced some serious skepticism and criticism when it comes to data privacy.
To take a deeper dive into the security and privacy of these new and mass-used apps, Jason Kent, Hacker in Residence at Cequence Security, downloaded and analyzed 10 different contact tracing apps.
The apps tested were region’s/state’s COVID Contact tracing for MN, RI, LA, WI, Guam, AL, DC, CA, UT, HI.
Kent specifically looked at communication of the application and their associated connections.
"I watched all of the traffic off of each application in BURP Suite, an intercept proxy, and exercised the application."
Here are some key takeaways from the research:
In 10 out of 10 apps, the privacy of both the phone and the user was built in properly
In only one app, the API Key needed to transmit data would allow for someone to forge a fake COVID test and post a fake manifest. Given the public nature of the application and ease of figuring out how to do this, it is a concern.
The tokenization design and privacy considerations were all “top notch”
In terms of personally identifiable information (PII) collection, these apps don't collect any.
"The beauty of these applications is that no PII is collected. Basically your phone sends out a signal with a unique identifier for your phone. If you send in a positive COVID test signal, all other phones that were near your phone will tell their owners they were near someone that identified a positive COVID test. All identifiers rotate and the manifests of the identifiers are the only data transmitted," says Kent.
This is interesting research, considering the misconceptions about these apps at the consumer level. For more information about this research by Cequence Security, visit their blog: https://www.cequence.ai/blog/api-security-done-right-covid-19-exposure-notification-system-minimizes-data-exposure/.
###