Data privacy and safety: How secure are contact tracing Covid-19 apps?
There has been a surge in the number of coronavirus contact-tracing mobile apps worldwide. These are backed by various governments and national health authorities. Special protocols have also been developed by the two major smartphone OS vendors Apple and Google, along with the guidelines by EU. The higher adoption rate of such apps has raised many questions around the privacy of individuals' data that the app may access, and the potential abuse of such systems. Security researchers at Check Point have flagged the following concerns about contact tracing applications:
As some contact tracing apps rely on Bluetooth Low Energy (BLE), devices broadcast handshake packets that facilitate identification of contact with other devices. If not implemented correctly, hackers can trace a person's device by correlating devices and their respective identification packets.
Apps store contact logs, encryption keys and other sensitive data on devices. Sensitive data should be encrypted and stored in the application sandbox and not on shared locations. Even within the sandbox, gaining root privileges or physical access to the device, could compromise the data, more so if information such as GPS locations are stored.
Users can be susceptible to "man-in-the-middle" attacks and the interception of the app's traffic if all communications with the app’s back-end server are not properly encrypted.
It is important that contact apps perform authentication when information is submitted to its servers, such as when a user posts their diagnosis and contact logs. Without proper authorisation in place, it could be possible to flood the servers with fake health reports, undermining the reliability of the whole system.
apps from official app stores, as they only allow authorised government agencies to publish such apps.
solution to scan applications and protect the device against malware, as well as verify that the device has not been compromised.
Jonathan Shimonovich, manager of mobile research, Check Point, says, "Contact tracing apps must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users' data at risk. This comes down to questions on what data is collected, how it is stored and, how it is distributed."