The NHSX, a technology group within the UK government's National Health Service, has released the source code for its Android and iOS COVID-19 coronavirus contact-tracing apps in an effort to allay privacy concerns and improve the code.
Developers who have examined the blueprints have not been entirely mollified, and have called out several potential problems.
For example, the apps, which are supposed to be pro-privacy, use Google Analytics and the Firebase Analytics framework, configured in a way to allow personalized web advertisements. Also, they generate a private key that's not private because it gets created on a remote server rather than on the user's device. And they link to insecure HTTP resources.
What's more, the Android app exhibits bugs that affect OnePlus devices.
Upon startup, the apps request Bluetooth and push notification permissions and reach out to
api.svc-covid19.nhs.uk with an activation code, a push notification token, and a portion of the user-entered postal code. And the server replies with a
linkingId that gets stored in the user's app settings.
"You are given a persistent anonymous ID by the system and that's used to create a broadcast id," explained Professor Alan Woodward, of England's University of Surrey, in a phone interview with The Register. "When you're diagnosed as positive that gets sent up to the server. They have a single key that can unlock that and get your persistent identifier."
The server receives a history of interactions when a person chooses to report symptoms and that gets run through an algorithm to compute a risk score that's used to determine whether people who came in contact with the reporting person should be notified.
Apple-Google COVID-19 virus contact-tracing API to bar location-tracking accessREAD MORE
The apps, currently being tested on the Isle of Wight, are designed to listen for Bluetooth emissions from nearby devices also running the apps, be they Android or Apple. The idea is to record when people come close to each other so that when someone declares they have COVID-19, the folks they have encountered can be warned.
While the NHSX apps appear not to track user location, consistent with NHSX representations, it's claimed the Android version requests location permissions that are unnecessary and could be used after an update to track user location.
In an analysis on Thursday, Reincubate, a UK-based developer tools software biz, said that the inclusion of the
ACCESS_FINE_LOCATION in the Android app is necessary for using Bluetooth. The iOS version, the company says, does not request location permissions.
Overall, Reincubate considers the apps to be relatively well-behaved, respecting platform rules and not storing sensitive data. The firm observes that they utilizes some clever workarounds to remain active and attentive for proximate devices – at the likely expense of battery life.
Other programmers – noting that, for the iOS version, Bluetooth discovery may fail when two locked devices come in range – disagree, characterizing the workaround as a violation of Apple's rules.
iPhones and iPads clamp down on applications that use Bluetooth while running in the background. To get around the limitations, the UK government's software uses various tricks, such as a timer to emit Bluetooth signals every few seconds, and listen for responses. This maintains ping-pong like communications between nearby devices, keeping the tracing software alert.
However, there are some worst-case scenarios in which the iOS app may stop working as expected and miss nearby devices, which is not great for a contact-tracing program.
Apple and Google, meanwhile, developed a framework for "Privacy Preserving Contact Tracing," an effort to accommodate government demand for better health data to deal with the coronavirus outbreak; neither tech giant wants to stand in the way of nationally backed projects, and both would prefer that contact tracing apps conform to an acceptable standard.
The Apple-Google API is designed to support background scanning of nearby devices in a more battery efficient manner, via the operating system, rather than periodically waking up apps. The framework is also decentralized to prevent tracking and identification of users and those they've come in contact with. Any data is shared with healthcare providers' databases; Apple and Google see none of it.
The NHSX apps do not use the Apple-Google framework, though the UK government is said to be mulling tapping the API.
There are at least 60 such contact-tracing app projects underway, some backed at a national level, others driven by interested organizations, in countries around the world. Some use centralized models others use decentralized ones; some are compulsory and others are voluntary.
Australia's contact tracing app, COVIDsafe – the source code of which was also shared this week – has come under fire from independent software engineer Geoffrey Huntley for failing to address privacy problems brought to the attention of the app's developers. A recent update, 1.0.16, did not address most of the issues raised.
Australia is also shifting its app to the Apple-Google API after failing to work around the background Bluetooth limitations in iOS.
"Because these apps are being introduced so rapidly and there's not a lot of modesty on the part of developers or protection on the part of policy makers, there's a huge potential for this to go wrong," said Askan Soltani, an independent researcher and technologist who has served as Chief Technology Officer in the White House Office of Science and Technology Policy and Chief Technologist at America's consumer watchdog, the FTC.
Soltani said that while we need ways to expand COVID-19 testing capacity and to augment limited human-driven contact tracing, the potential consequences of these apps are not yet known. He said he had identified at least one attack on the Apple-Google platform that would also affect the UK apps. The attack involves a malicious actor generating a cascade of notifications on people's phones after intercepting tokens grabbed from network traffic at clinics.
For these apps to be effective, mass uptake is critical. Soltani said that smartphone penetration in the US is about 81 per cent which means you could achieve about 65 per cent efficiency. That's if everyone in the country installed and used a contact tracing app, "which we know won't be the case," he said.
False negatives and false positives are also a problem. Solatani said he was aware of people complaining that such apps don't work reliably due to platform limitations (which the Apple-Google framework aims to address).
Prof Woodward said that while there's been an active discussion about whether a decentralized model for the would be better, there's a more fundamental problem.
"Who is the customer for this and what did they ask for?" he said. "When it comes to data protection, I prefer to collect the least amount of information necessary. Is this about proximity alerts or getting extra information? The technologists have been asked to build a system in a certain way and it's likely there's no body in the loop saying, 'You don't really need this'." ®
Sponsored: Webcast: Simplify data protection on AWS