People around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak data. However, things are about to change as researchers from Queen Mary University of London (QMUL) have developed an assessment tool – called COVIDGuardian – which will help analyze the security and privacy gaps in these COVID-19 contact tracing apps.
COVIDGuardian Assessment Tool
With the sudden uncontrollable spread of the COVID-19 pandemic, the contact tracing apps were hurriedly developed by governments around the globe on a constricted timeline. This meant that adhering to hardened security and privacy testing protocols would not have been possible, given the short release timelines. Taking these anomalies into consideration, researchers at QMUL decided to develop an assessment tool that would find potential threats such as malware, embedded trackers, and private information leakage through these contact tracing apps.
Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London said, “With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly, we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks are related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.
Our work is helping developers address these problems. Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained.”
During their study of determining COVIDGuardian’s efficacy, 40 COVID-19 contact tracing apps from around the globe were assessed. The study showed the following results:
- 5% of the apps use at least one insecure cryptographic algorithm.
- Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
- Most of the 40 apps analyzed were malware-free, but the Kyrgyzstan app going by the name “Stop COVID-19 KG” was discovered to have malware.
Additionally, the researchers performed a survey on more than 370 individuals to find the likelihood of them using a COVID-19 contact tracing app. Not so surprisingly, they found that the biggest impact on whether individuals would use the app or not depended upon the privacy and accuracy of these contact tracing apps.
The research titled “An Empirical Assessment of Global COVID-19 Contact Tracing Applications” will be presented soon at the International Conference on Software Engineering, which will be held between May 23-29, 2021. However, a copy of this paper can be already found here.