Hundreds of third-party apps in Android devices were given access to sensitive data logged by contact-tracing apps built on Google and Apple's API, according to security researchers.
AppCensus, a US-based start-up that specializes in analyzing the privacy practices of Android apps, was granted almost $200,000 by the Department of Homeland Security earlier this year to test and validate the reliability of contact-tracing apps.
The company's researchers found that Android phones logging data from apps using Google and Apple's Exposure Notifications System (ENS) were recording key contact-tracing information within the device's system logs – which is used for debugging purposes, and is normally where apps receive information about user analytics and crash reports.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)
Not all apps can read system logs; but in Android, Google allows some hardware manufacturers, network operators and commercial partners to pre-install "privileged" apps. Part of the privilege is access to system logs.
In any stock Xiaomi Redmi Note 9, for example, 54 apps are allowed to read system logs, while this is the case of 89 apps in a Samsung Galaxy A11. "They are now receiving users' medical and other sensitive information as a result of Google implementation," said AppCensus co-founder and forensics lead Joel Reardon in a blog post.
Google and Apple jointly released ENS last year, as a way of assisting health authorities around the world in building contact-tracing apps compatible with the privacy imperative that, according to both companies, underpins the Android and iOS ecosystems.
The API developed by Apple and Google enables governments to create decentralized contact-tracing apps that rely on Bluetooth signals.
Devices fitted with the app emit anonymous identifiers that change periodically, called rolling proximity identifiers (RPIs), which are broadcast through Bluetooth so that they can be "heard" by surrounding phones that are also using the app. As well as broadcasting RPIs, therefore, handsets also log all the RPIs that they hear.
If a user later tests positive for COVID-19, the health authorities issue a list of all the RPIs attached to that user's phone. On each device, a comparison is drawn between the list of infectious RPIs and those logged by the app, and a notification is issued to the user if a risky contact is detected.
All of the match-making is carried out locally on the phone, and in principle, no data should leave the device unless a user decides to share with health services that they have tested positive for COVID-19. This is why Google and Apple call their system decentralized, and have pitched ENS as protecting privacy by design.
A large number of users have now downloaded contact-tracing apps that were created thanks to Apple and Google's ENS. In the UK, the NHS COVID-19 app was downloaded over 21 million times, for instance, while Germany's CoronaWarn app is used by over 25 million residents.
AppCensus's findings now show that the privacy promise made by the two tech giants has some shortcomings. Reardon and his team found that both RPIs that are broadcast and those that are heard can be found in Android phones' system logs – and for the RPIs that were heard, the device also logs the current Bluetooth MAC address of the sending device.
"Of course, the information has to be logged somewhere in order to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, researcher at the French National Institute for Research in Digital Science and Technology (INRIA), who did not participate in the research, tells ZDNet. "It is unsettling that this information was stored in the system log. There is no good reason to put it there."
Although the RPIs and the Bluetooth MAC addresses are random and anonymized, AppCensus identified several ways that the data could be used and computed to carry out privacy attacks.
Combined with different datasets, the RPIs could be used to figure out whether a user has tested positive for COVID-19, whether they have been in contact with an infectious person, or even – with access to several users' system logs – whether two people encountered each other.
"The whole contact-tracing system is supposed to be privacy-preserving, and it's supposed to avoid exactly this kind of information leaking," says Leurent. "So it really defeats the whole protection that is supposed to be at the basis of this protocol."
In this case, the fix is easy: all it takes is for Google to stop ENS from logging data in the device's system log. Reardon stressed that the issue was not an inherent flaw of contact-tracing, but rather an implementation error in the system.
Yet AppCensus reports that when the researchers disclosed the issue to Google the search giant failed to acknowledge or fix the issue. After 60 days elapsed, the analysts decided to follow Google's own recommendations on bug bounties and make their findings public.
A Google spokesperson told ZDNet: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code."
"These Bluetooth identifiers do not reveal a user's location or provide any other identifying information and we have no indication that they were used in any way – nor that any app was even aware of this."
According to Google, the roll out of the update to Android devices began several weeks ago and will be complete in the coming days.
For Leurent, who has undertaken extensive research on the privacy issues that come with contact-tracing apps, this only ties in with a wider debate that needs to be held about the benefits and risks of the technology.
The researcher's previous publications showed that no matter the implementation, there will inevitably be a privacy risk when it comes to using digital technologies for contact tracing. "Now, whether this is a big deal or not is something to be discussed," he says, "but I think we really need a debate evaluating those risks and benefits. For contact-tracing apps, we've never really had those discussions.
"These apps have been used for one year now and we still have very little information about how well they work. My intuition is that the benefits are not very high."
Research published by scientists from the Alan Turing Institute and Oxford University in the UK recently showed encouraging preliminary results for the NHS COVID-19 app, with experimental calculations concluding that the technology had potentially prevented up to 600,000 positive cases across the country.
However, the researchers themselves admitted that obtaining a complete understanding of the app's efficiency was scientifically difficult, due to the many factors that could have influenced the results.
Critics, on the other hand, have repeatedly put forward that contact-tracing apps lack accuracy and fail to show relevant benefits unless there is uptake among the vast majority of the population.