Android ‘Exposes’ Covid-19 Contact Tracing Data

Google’s Android implementation of the Covid-19 exposure notification framework it developed with Apple allows hundreds of third-party apps to access sensitive data, according to a new study.

AppCensus, which focuses on Android privacy issues, found that Android devices store the data collected under the exposure notification framework in system logs that are accessible by some third-party apps.

Apps that use the exposure notification API, such as the NHS’ Covid-19 app, record anonymised identifiers broadcast via Bluetooth from other nearby mobile devices.

The apps maintain a local record of those identifiers which can then be matched up with a list corresponding to people who have tested positive for Covid-19.

Private data

The user can then be notified if they have been in contact with a positive case.

Apple and Google say that because the contact-matching process takes place locally, the recorded data is kept private.

In fact, the companies blocked a recent update to the NHS’ app that would have allowed users to share some data with a central server, which is not allowed under the privacy-centric terms of the framework.

However, AppCensus found that Android devices store the recorded data in the devices’ system logs, which store data such as crash reports for analytics purposes.

Apps are not ordinarily given access to such logs, but Google allows some hardware manufacturers, network operators and commercial partners to pre-install “privileged” apps that do have access.

Implementation bug

A stock Xiaomi Redmi Note 9 has 54 pre-installed apps that can read system logs, while a stock Samsung Galaxy A11 includes 89 such apps, AppCensus said in an advisory.

“They are now receiving users’ medical and other sensitive information as a result of Google implementation,” wrote AppCensus co-founder and forensics lead Joel Reardon.

In addition to the Rolling Proximity Identifiers (RPIs) used for contact-matching purposes, the framework also stores the MAC addresses sent by nearby devices.

While both the RPIs and the MAC addresses are randomised and anonymised, AppCensus determined that the data could be combined with different datasets to determine whether a user has tested positive for Covid-19, whether they have been in contact with an infectious person or even potentially whether two people encountered one another.

Reardon emphasised that the issue is an implementation flaw and not a problem with the framework itself.

He said Google failed to fix the problem after being notified in February, so AppCensus disclosed it publicly after 60 days.

Android update

Google said it began rolling out an update to fix the problem several weeks ago and that the process would be complete within a few days.

“We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes,” the company said.

“Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code.”

The company added that Bluetooth identifiers do not reveal a user’s location or provide other identifying information.

“We have no indication that they were used in any way – nor that any app was even aware of this,” Google stated.

AppCensus carried out the study as part of a nearly $200,000 (£143,000) grant by the Department of Homeland Security earlie this year to test and validate the reliability of contact-tracing apps.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Tesla Reaches $1 Trillion Valuation

Car maker Tesla now worth at least double that of Toyota, Volkswagen and Ford combined,…

2 hours ago

Australia Funds Telstra Buy Of Digicel Pacific To Thwart China

Strategic blocking? Australian government joins forces with Telstra to acquire Digicel Pacific, after interest from…

3 hours ago

Apple ‘Very Likely’ To Face DoJ Antitrust Lawsuit – Report

Two year investigation by Department of Justice of tech giants has seen acceleration of Apple…

4 hours ago

France Holds Secret Talks With Israel Over NSO Spyware

Top adviser to French President holds talks with Israeli counterpart to discuss NSO spyware allegedly…

5 hours ago

Facebook Making Online Hate Worse, Whistleblower Tells MPs

Frances Haugen answered questions from the UK parliament's Joint Committee on Monday, after cache of…

7 hours ago

Silicon UK In Focus Podcast: Women In Tech

Today we are speaking to Joanne Thurlow, Head of IT for Siemens Energy, Industrial Application…

8 hours ago