Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Locked iPhones rendered almost useless in Australia's COVIDSafe tracking efforts

Software engineer Richard Nelson says a locked iPhone with an expired ID cannot retrieve a new one, and without an ID, the device cannot be recorded by others.

Almost two months after the federal government released Australia's coronavirus contact tracing app, researchers are still poking holes in the security of COVIDSafe.

Software engineer Richard Nelson, who was part of a team of researchers that found other bugs in COVIDSafe, has detailed a bug affecting iPhone users, rendering their device basically useless when it comes to tracking efforts.

latest developments

Coronavirus: Business and technology in a pandemic

From cancelled conferences to disrupted supply chains, not a corner of the global economy is immune to the spread of COVID-19.

Read More

A locked iPhone with an expired ID cannot generate a new ID. Without an ID, Nelson said the device will record other devices around it, but cannot be recorded by others.

"A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged," he wrote.

"One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted."

Technically speaking, Nelson said COVIDSafe uses KeychainSwift to store the JSON Web Token (JWT) used to fetch new TempIDs from the backend.

"When setting a new TempID locally, COVIDSafe uses the default value for the KeychainSwiftAccessOptions parameter, which is AccessibleWhenUnlocked. This means the keychain item cannot be accessed when the device is locked," Nelson said.

"When a new TempID is needed, GetTempIdAPI tries to extract the JWT from the keychain in order to fetch a new TempID from the API. This fails when the device is locked, and so a TempID is unavailable."

Nelson told ZDNet that if the iPhone user was to unlock their phone, but not necessarily open the COVIDSafe app, a new ID would be fetched.

"If Alice's device was locked and had an expired token, and Alice then unlocks her device to check email, for example, and if Bob's device then scans and picks up Alice's device, Bob will be able to read Alice's ID," Nelson added.

But if the device is locked again first, it won't be read.  

The example Nelson used shows there's the potential for a lot of tracing data to be missed, making it suboptimal if someone else were to test positive and lots of other people had their devices locked for lengthy periods of time.

Nelson clarified this issue is only apparent on iPhones.

The Digital Transformation Agency (DTA) said in May that functional and performance testing was conducted for the Apple iOS and Google Android versions of the COVIDSafe App prior to release.

It said 179 functional tests were conducted, including Bluetooth encounters between various device types, in various states, including the phone being locked and unlocked, and the application being open and not open.

"All tests satisfied the baseline design requirements," the DTA said. "Performance tests were also conducted against the technical requirements."

The DTA said in these tests, the system "met and sustained the requirements and remained stable through the testing process".

"The successful testing results underpinned the Digital Transformation Agency's decision recommendation to release the COVIDSafe App into production," it explained. "Consistent with an agile development methodology, the DTA will continue to make iterative enhancements to the App."

In response to Nelson's findings, the DTA told ZDNet it continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping the DTA to improve the app.

"The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security, and accessibility improvements as required," it said. "The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19."

COVIDSafe was released in April and has been touted by the federal government as crucial in returning to business as usual post-coronavirus.

As of Friday, over 6.3 million Australians have downloaded the app.

See also: Canberra using a cold beer on a Friday as a guilt trip to download COVIDSafe

The government provided an update to its COVIDSafe plans on Friday, with a statement from Prime Minister Scott Morrison saying that under "step 3", at a minimum, COVIDSafe arrangements must be maintained including: One person per 4sqm; staying 1.5 metres away from other people whenever and wherever possible; maintaining good hand washing and cough/sneeze hygiene; staying home when unwell and getting tested if presenting any respiratory symptoms or a fever; and downloading the COVIDSafe app to "allow identification and traceability of people that have been in contact with a confirmed COVID case".

In a bid to build trust from Australians, however, it is considered an offence within the legislation surrounding COVIDSafe to require an individual to download the app, have the app in operation, or force someone to consent to uploading COVID app data.

The Prime Minister's office is yet to return a request for comment on the contradictory directive.

MORE ON COVIDSAFE