Android devices expose contact tracing data to hundreds of third-party apps, finds analysis of ‘privacy-first’ Apple-Google framework
Google’s Android implementation of the Covid-19 exposure notification framework it developed with Apple allows hundreds of third-party apps to access sensitive data, according to a new study.
AppCensus, which focuses on Android privacy issues, found that Android devices store the data collected under the exposure notification framework in system logs that are accessible by some third-party apps.
The apps maintain a local record of those identifiers which can then be matched up with a list corresponding to people who have tested positive for Covid-19.
The user can then be notified if they have been in contact with a positive case.
Apple and Google say that because the contact-matching process takes place locally, the recorded data is kept private.
In fact, the companies blocked a recent update to the NHS’ app that would have allowed users to share some data with a central server, which is not allowed under the privacy-centric terms of the framework.
However, AppCensus found that Android devices store the recorded data in the devices’ system logs, which store data such as crash reports for analytics purposes.
Apps are not ordinarily given access to such logs, but Google allows some hardware manufacturers, network operators and commercial partners to pre-install “privileged” apps that do have access.
A stock Xiaomi Redmi Note 9 has 54 pre-installed apps that can read system logs, while a stock Samsung Galaxy A11 includes 89 such apps, AppCensus said in an advisory.
“They are now receiving users’ medical and other sensitive information as a result of Google implementation,” wrote AppCensus co-founder and forensics lead Joel Reardon.
In addition to the Rolling Proximity Identifiers (RPIs) used for contact-matching purposes, the framework also stores the MAC addresses sent by nearby devices.
While both the RPIs and the MAC addresses are randomised and anonymised, AppCensus determined that the data could be combined with different datasets to determine whether a user has tested positive for Covid-19, whether they have been in contact with an infectious person or even potentially whether two people encountered one another.
Reardon emphasised that the issue is an implementation flaw and not a problem with the framework itself.
He said Google failed to fix the problem after being notified in February, so AppCensus disclosed it publicly after 60 days.
Google said it began rolling out an update to fix the problem several weeks ago and that the process would be complete within a few days.
“We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes,” the company said.
“Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code.”
The company added that Bluetooth identifiers do not reveal a user’s location or provide other identifying information.
“We have no indication that they were used in any way – nor that any app was even aware of this,” Google stated.
AppCensus carried out the study as part of a nearly $200,000 (£143,000) grant by the Department of Homeland Security earlie this year to test and validate the reliability of contact-tracing apps.