Privacy Challenges with Android Contact Tracing App

May 6, 2021

Why are we not surprised? We learn from The Markup that “Google Promised its Contact Tracing App Was Completely Private—But it Wasn’t.” The COVID contact-tracing framework, developed in a unique partnership with Apple, was used by several government agencies in their official apps. Millions of citizens took CEOs Sundar Pichai (Google) and Tim Cook (Apple) at their word that personal data would be kept private and downloaded the apps.

To trace contacts, enabled devices exchange anonymized Bluetooth signals with each other whenever people with the app are within 6 feet for 10 minutes or more. To make it harder to identify users, those symbols are changed every 15 minutes and are created from a key that changes every 24 hours. On Android (Google) devices, the exchanged signals are saved to the system logs where they are securely buried unless the user tests positive and chooses to share that information. At least, that’s the idea. Reporter Alfred Ng cites AppCensus forensics lead Joel Reardon as he writes:

“The issue, Reardon said, is that hundreds of preinstalled apps like Samsung Browser and Motorola’s MotoCare on Android devices have access to potentially sensitive information that the contact tracing apps store in system logs—a byproduct of how the preinstalled apps receive information about user analytics and crash reports. … Studies have found that more than 400 preinstalled apps on phones built by Samsung, Motorola, Huawei, and other companies have permission to read system logs for crash reports and analytic purposes. In the case of contact tracing apps, Reardon found that the system logs included data on whether a person was in contact with someone who tested positive for COVID-19 and could contain identifying information such as a device’s name, MAC address, and advertising ID from other apps. In theory, that information could be swept up by preinstalled apps and sent back to their company’s servers. He has not found that any apps have actually gathered that data, but there’s nothing preventing them from doing so.”

Ah, third-party preinstalled apps. Perhaps Google could be forgiven for overlooking that vulnerability if they had taken it seriously when it was brought to their attention. This past February, AppCensus researchers hired by the Department of Homeland Security found the problem and alerted Google. (They found no similar problems with the iPhone version.) Alas, Google has not fixed what Reardon calls a “one-line thing.”  Instead the company has issued vague promises of rolling out an update of some sort at some time. Very reassuring.

Cynthia Murrell, May 6, 2021

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta