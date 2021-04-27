



When Google and Apple introduced the COVID-19 contact tracing framework in April 2020, they both aimed to reassure people who were worried about sharing personal health information with large corporations.

Google and Apple have anonymized and public health the data generated through the app’s people’s movements, who they may have contacted, and whether they reported a positive COVID-19 test. We provided a guarantee that it would not be shared with anyone other than the institution.

Our goal is to empower [public health agencies] Google CEO Sundar Pichai wrote in a tweet last May when the framework was made public, using another tool to fight viruses while protecting user privacy.

Apple CEO Tim Cook provided a similar warranty.

Since then, millions of people have downloaded contact tracking apps developed through the Apple and Google frameworks. The UK National Health Service app has at least 16 million users, while the Canadian digital service COVID Alert app boasts over 6 million downloads in January, and Virginia of Health has over 2 million users. Residents said they are using the COVIDWISE app.

California Governor Gavin Newsom said in a tweet last December that he approved the state version of the app and said it was 100% private and safe.

However, Markup not only contained a privacy flaw in the Android version of contact tracing tools, but when researchers at privacy analytics firm AppCensus warned Google about the issue in February of this year, Google said it. I learned that I couldn’t change. AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company did not find a similar issue with the iPhone version of the framework.

With such an obvious fix, I was surprised that it didn’t look like that.

Joel Riadon, AppCensus

This fix is ​​a one-line fix that removes the line that logs sensitive information in the system log. Joel Reardon, co-founder and forensic leader of AppCensus, said it would not affect the program and would not change the way it behaves. With such an obvious fix, I was surprised that it didn’t look like that.

A Google spokeswoman, Jos Castaeda, said in an email statement to the markup that the Bluetooth identifier could temporarily access certain system-level applications for debugging purposes. He said he has begun deploying fixes to address it.

However, AppCensuss co-founder and chief technology officer Serge Egelman said Google repeatedly dismissed corporate concerns about the bug until Markup contacted Google late last week for comment on the issue. It was.

When asked if the vulnerability was eliminated, Castaeda said the deployment of this update to Android devices began a few weeks ago and will be completed within a few days.

The problem is that hundreds of pre-installed apps such as Samsung Browser and Motorolas MotoCare on Android devices have the contact tracking app in the system log as a by-product of how the pre-installed app receives information about user analysis and crash reports. You have access to potentially sensitive information that you store. ..

The contact tracking tool works by exchanging anonymized Bluetooth signals with other phones that have a contact tracking app. These signals are created from keys that change every 15 minutes and every 24 hours to make it harder to identify someone.

Google and apple

Google and Apple explained how “rolling proximity identifiers” are exchanged.

The signals generated and received by phone contact tracing data are stored in the Android device’s system log. Research shows that over 400 pre-installed apps on phones built by Samsung, Motorola, Huawei, and other companies have permission to read system logs for crash reporting and analysis purposes.

For contact tracking apps, Reardon has system logs that contain data about whether you’re in contact with someone who has been tested positive for COVID-19, such as device name, MAC address, and other apps. .. In theory, that information could be wiped out by a pre-installed app and sent back to your company’s servers. He hasn’t found that any app is actually collecting that data, but nothing prevents it.

What Google says is that these logs never leave the device, Riadon said. They can’t claim that they don’t know if any of these apps are collecting system logs.

In an email to the markup, Google spokeswoman Castaeda said these Bluetooth IDs were used in some way without revealing the user’s location or providing any other identifying information. It doesn’t even show that the app is aware of this.

Google has pledged that all contact tracking data will be processed on the user’s phone and will not be sent to any server. While the app is exchanging anonymized Bluetooth signals, data sent to external entities identifies the user as positive on the COVID-19 test and shares that information with public health authorities. Only if you choose to do so.

When Google and Apple first released the tool, they promised that the list of people you contacted wouldn’t leave your phone unless you chose to share it during the press conference.

In a keynote speech at the International Association of Privacy Professionals last July, Google and Apple Chief Privacy Officers emphasized that storing and processing data only on devices, not servers, protects user privacy.

I strongly felt that all this contact notification information was done in [the] Keith Enlight, Google’s Chief Privacy Officer, said in a panel that the process, which takes place under the strict control of devices and users, is an important design feature for optimizing system privacy.

We also note that the Connecticut privacy policy of the state contact tracking app stores data only on your device and will not share it unless you are diagnosed with COVID-19 and choose to share that information. The state app is based on the Google and Apple contact notification frameworks.

These data are stored only on the user’s device and will not be shared unless the user is diagnosed with COVID-19 and chooses to share this information within the system.

Riadon first contacted Google on this issue on February 19 and submitted a report to Google’s Bug Reward Program.

Google has a program that pays researchers to find security issues with its services only if the company considers it a serious enough flaw. According to an email sent by AppCensus to The Markup, the team did not believe the Realdons findings met that criterion.

On March 12, Reardon received an email from Google Security Team Enzo saying, “This may not be serious enough to be rewarded, but the panel will consider the next meeting and update it as more details become available.” I received. All you need to do now is wait. If you do not receive a reply after a few weeks, or if you have additional information about the vulnerability, please let us know.

Four days later, Riadon received an automatic email from Google stating that the flaw wasn’t enough to justify the payment and that the security team decided whether to make the change.

Since then, the company hasn’t contacted him.

Riadon also contacted Giles Hogben, Director of Privacy Engineering for Android, on February 19th. In response to Realdons concerns, Hogben said in an email that system logs can only be accessed from certain apps.

[System logs] Hogben said in a February 25 reply that it wasn’t readable by non-privileged apps (only if you had READ_LOGS privileges) long before Android 11.

However, according to Riadon, even hundreds of pre-installed apps can read these system logs. He said they are collecting information that is devastating to the privacy of people who actually use contact tracing.

