A comprehensive review of 17 contact tracing apps, each from a different country, reveals that the vast majority of contact tracing apps built and deployed by governments are not sufficiently secured.
A new report from mobile app security company Guardsquare included an assessment 17 Android mobile contact tracing apps from 17 different countries, including Europe, the Americas, and Asia-Pacific. All apps were built by government entities, with some supported by third-party contractors. Researchers noted it was not an exhaustive list, but “provides a window into the security flaws most contact tracing apps contain.”
Contact tracing—identifying individuals who may have come into contact with an infected person and then collecting data on these contacts—has helped stop previous deadly outbreaks, and the report’s researchers note that since the COVID-19 crisis began, many countries, as well as public and private organizations, have rushed to develop contact tracing apps.
From what’s known in the U.S. so far, contact tracing has proven to be a massive undertaking. In April, Google and Apple made big news when they announced a joint effort around contact tracing that will leverage Bluetooth technology that includes application programming interfaces (APIs), as leaders from the tech companies opted to go with a de-centralized, opt-in approach.
The Guardsquare analysts said that contact tracing apps have been plagued with severe security issues from the start. Some apps, such as Qatar’s, have already experienced security threats, and researchers have raised legitimate fears about users’ data being broadcast and stolen, they reported.
Yet most of the developers behind these apps are still not taking proper security precautions, they said. When the Guardsquare team spoke with one country that had built its own contact-tracing app, they felt that they were not gathering any “data of interest,” and thus did not see the value of spending resources to improve security, according to the report.
The researchers conducted both static and dynamic analysis, and analyzed each of the apps to search for six types of security and privacy protections, across two key categories: code hardening and Runtime Application Self-Protection (RASP).
Late last year, Guardsquare performed a similar security analysis on financial services mobile apps, and its researchers now say that like that examination, “it’s clear that the vast majority of contact tracing apps built and deployed by governments are not sufficiently secured. They are easy for hackers to decompile, attack, and even create fake clones, and are likely to lead to security breaches if they have not already.”
More specifically, the data shows that:
- Only 41 percent have root detection
- Only 41 percent include some level of name obfuscation
- Only 29 percent include string encryption
- Only 18 percent include emulator detection
- Only 6 percent include asset / resource encryption
- Only 6 percent include class encryption
- Just 1 app that was analyzed was fully obfuscated and encrypted
In the U.S. specifically, the report found that 100 percent of apps include some level of name obfuscation and string encryption, but none include asset/resource encryption or class encryption, and none have root detection or emulator detection.
Notably, the researchers pointed out that in most cases, these apps are opt-in—but in this analysis, three of the apps that were analyzed are mandatory, meaning that citizens of those nations are compelled to download and use them.
The combined population of the three countries who have mandatory apps is about 1.4 billion people. Of the apps that are mandatory, just one-third (33 percent) use any name obfuscation or root detection, and none use any type of encryption or emulator detection, the researchers noted.
They further pointed out that for contact tracing programs to be successful, the vast majority of people need to participate. They concluded, “When security flaws are publicized, the whole app is suddenly distrusted and its utility wanes as users drop off. If these apps are improperly secured (as most are), user data—in particular, location information—may be at risk. This is a security issue and a major privacy concern, and can even run organizations up against compliance laws like GDPR, potentially resulting in massive fines, as well as reputational and trust issues.”
They added, “We recognize that many governments employ third-party contractors to develop these apps, but this does not absolve them of responsibility. Anyone disseminating contact tracing apps must impose minimum standards of quality and security on the third parties or internal teams who are developing them.”