Android COVID-19 Notification App Gets Bug, Leaks Private Information to Preinstalled Apps

Sophie Webster, Tech Times 27 April 2021, 11:04 am

The COVID-19 notification app installed on Android phones had a privacy issue as it lets other preinstalled apps see sensitive information, including contact tracing details, which users tested positive for COVID-19, and more.

The bug from the Android app was reported by privacy analysis firm AppCensus on Apr. 27. Google stated that it is currently rolling out a fix to the bug.

Android Bug Leaks COVID-19 Information

The bug cuts against the repeated promises from Sundar Pichai, the CEO of Google, and Tim Cook, the CEO of Apple, and numerous public health officials that the data collected by the exposure notification Android app could not be shared outside of a user's device.

AppCensus raised the alarm about the vulnerability of the app to Google back in February. However, Google did not address the issue, according to the report by The Markup.

Fixing the issue would be as simple as deleting a few nonessential lines of code, according to Joel Reardon, the co-founder and forensics lead of AppCensus.

Reardon said that it is such an obvious fix, and he was flabbergasted that it was not seen as that.

Also Read: How NHS COVID-19 App Works: Find Out How To Download, Activate, and Explore The Features

Updates to address the issue are currently ongoing, according to Jose Castaneda, the spokesperson of Google.

In an email statement sent to The Markup, Castaneda said that they were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and they immediately started rolling out a fix to address this.

How Does the Bug Work?

The exposure notification system works by pinging the anonymized Bluetooth signals between the user's phone and other phones that also have their system activated.

If someone who is using the app tests positive for COVID-19, they can work with health authorities to send a health alert to any phones with corresponding signals logged in the phone's memory.

On Android phones, the contract tracing data is logged in the device's privileged system memory, where it is inaccessible to most software running on the phone.

However, apps that are preinstalled by manufacturers get special system privileges that would let them access those logs, putting sensitive contact-tracing data risk, and private information is leaked to third-party apps.

There is no concrete indication that any preinstalled apps have actually collected COVID-19 data, Reardon said.

Preinstalled apps have taken advantage of their special permissions in systems in the past. Other investigations show that preinstalled apps sometimes harvest data like geolocation information and phone contacts without the user's permission.

The analysis did not find any similar issues with the exposure notification system on iPhone, only on Android phones.

The problem is an implementation issue and not inherent to the exposure notification framework, according to Serge Egelman, the chief technology officer at AppCensus on Twitter.

It should not erode trust in public health technologies, Egelman said. They hope the lesson in this issue is that getting privacy right is difficult, vulnerabilities will always be discovered in systems, but that it is in everyone's interest to work together to remediate the issues, he added.