The Android version of Google and Apple’s COVID-19 exposure notification app had a privacy loophole that allowed other preinstalled apps to potentially see sensitive data, including if someone had been in contact with it. someone tested positive for COVID-19, privacy analysis firm AppCensus revealed on Tuesday. Google says it is currently rolling out a fix for the bug.
The bug goes against repeated promises by Google CEO Sundar Pichai, Apple CEO Tim Cook and many public health officials that the data collected by the exposure notification program could not be shared outside of a person’s device.
AppCensus first reported the vulnerability to Google in February, but the company was unable to resolve it, Markup reported. Solving the problem would be as easy as removing a few nonessential lines of code, said Joel Reardon, co-founder and head of forensics at AppCensus. Markup. “It’s such an obvious solution, and I was flabbergasted that it wasn’t seen like this,” Reardon said.
Updates to resolve the issue are “ongoing,” Google spokesman José Castañeda said in an emailed statement to The markup. “We were made aware of an issue where Bluetooth credentials were temporarily accessible to specific system-level applications for debugging purposes, and we immediately began deploying a fix to resolve this issue,” he said. declared.
The exposure notification system works by pinging anonymized Bluetooth signals between a user’s phone and other phones on which the system is enabled. Then, if a person using the app is positive for COVID-19, they can work with health authorities to send an alert to all phones with the corresponding signals stored in the phone’s memory.
On Android phones, contract tracking data is saved in privileged system memory, where it is inaccessible to most software running on the phone. But apps preinstalled by manufacturers have special system privileges that would allow them to access these logs, putting sensitive contact tracing data at risk. There is no indication that any app has actually collected this data at this point, Reardon said.
Preinstalled apps have already taken advantage of their special permissions – other surveys show that they sometimes collect data such as geolocation information and phone contacts.
The scan did not find any similar issues with the exposure notification system on iPhone.
The problem is an implementation issue and is not inherent in the exposure notification framework, Serge Egelman, chief technology officer at AppCensus, said in a statement. posted on twitter. This should not erode confidence in public health technologies. “We hope the lesson here is that it is really difficult to ensure confidentiality, vulnerabilities will always be found in systems, but it is in everyone’s best interest to work together to resolve these issues,” said said Egelman.