Security News

Contact tracing apps face their day of reckoning

Jaya Baloo, 16 July 2020

Tracing apps could do good for states looking to safely reopen, but the associated risks may be severe enough to tip the scales.

Covid-19 contact tracing apps are becoming a hot topic these days, and the debate surrounding their use is going to intensify in the next few months. They’re a promising solution for society desperately trying to respond to the pandemic. But are the security risks contract tracing apps carry going to be severe enough to outweigh their potential benefits? And are consumers going to use the apps often enough for them to make a difference?

These are open questions that’ll be resolved when more apps hit the U.S. market. Three states – Alabama, North Dakota and South Dakota – have deployed or are developing apps that track who an infected person may have had contact with. Google and Apple have partnered to create a software framework for developers to create apps that’ll work on their phones. About 20 apps are currently in development.

So far, security has been a thorny issue. The North Dakota app, Care19, experienced a data leak right out of the box. State officials admitted that the app inadvertently sent users’ location data to Foursquare. Elsewhere, researchers found bugs in apps developed for Qatar, India, the United Kingdom, Australia and the Netherlands that would have exposed users’ locations, personal information and/or personal contacts. The Care19 issue was fixed, but what about the next one in line? The industry’s rush to get to market and the U.S.’s weak security oversight system make the whole contact tracing process vulnerable.

What's more, the Avast Threat Labs team has reported on an Iranian Covid-19 app that collected sensitive information from users, including their real-time geo-location details. Due to the excessive permissions that it requires, the app was potentially being misused as stalkerware. During the month of June 2020, the app had 169 attempted installs in the U.S. alone. 

Clearly, hackers see tracing apps as a huge opportunity. As Politico recently outlined in a comprehensive piece, you could envision agenda-driven “hacktivists” trying to take down the apps get attention, cybercrime gangs stealing identities or a political group ID’ing a candidate’s secret contacts.

“While the apps are designed to help scale human efforts to do so, they’re also a double-edged sword when seen through a lens of individual privacy and security,” Kelvin Coleman, executive director of the National Cyber Security Alliance, told Politico.

Still, the question remains: Will the apps truly catch on?

For an app to stop an outbreak in a given community, 60% of the population would have to use it, according to a recent University of Oxford study. The same study suggested a smaller set of users, down to around 10%, could still reduce the number of cases and deaths. Other countries haven’t hit that threshold. France is lower than 3%, and Italy’s at about 6%. Care19 in North and South Dakota is in the low single digits.

When contact tracing apps hit your market, what should you do to protect your own information? For one thing, you have to choose to install it. Your information doesn’t transmit unless you install the app. You also can exercise the same kinds of good judgment you do when downloading any app: 

  • Take a look at what information you’re potentially giving up
  • Accept or deny certain provisions using discretion
  • Make sure to look at what permissions you’re awarding before downloading the app