Application Security , COVID-19 , Governance & Risk Management

Australia Releases 'COVIDSafe' Contact-Tracing App

2 Million Individuals Download App; 10 Million Must Use for Maximum Effectiveness
Australia Releases 'COVIDSafe' Contact-Tracing App

The Australian government released its contact-tracing app on Sunday, marking a crucial milestone in its efforts to keep lowering the country’s already relatively low COVID-19 infection rate.

See Also: OnDemand | Bolstering Australia’s Security Posture with Accelerated ZTNA

Concerns have abounded about whether the public will trust the app, called COVIDSafe, and voluntarily download it. But the ABC reports that 1 million people downloaded it in just five hours - a milestone the government had hoped to hit within the first five days. Less than 24 hours after its debut, by late Monday afternoon, an additional 900,000 people had downloaded the app.

Public health experts say that for the app to an effective tool against COVID-19, about 10 million individuals in the country will need to not just download the app but continue to actively use it.

Last Monday, an open letter published by hundreds of researchers and scientists - including Australian cybersecurity experts Dali Kaafar, Vanessa Teague and Yuval Yarom - warned that contact-tracing apps must be open, transparent, opt-in as well as decentralized as much as possible, to maximize user adoption and minimize surveillance and privacy concerns. Austria, Germany and Switzerland are among the countries that have opted for this approach, which Apple and Google have pledged to support (see: Contact-Tracing App Privacy: Apple, Google Refuse to Budge).

Like France and the U.K., however, Australia has instead opted for a centralized model, with the government given access to all collected data (see: Contact-Tracing Apps Must Respect Privacy, Scientists Warn).

Not Released: App's Source Code

Technology experts have been reviewing COVIDSafe, to the best of their ability, since it became available via Apple’s App Store and Google Play at 6 p.m. Australian Eastern Standard Time on Sunday. As of Monday, security experts and developers looking for potential privacy or security problems report finding minimal issues. Some open questions center on how much the app's continuing use of Bluetooth might drain batteries, as well as whether the app continues to function if the device isn't unlocked.

Such reviews also remain limited, because reviewers do not have access to complete notes about the app’s design and back-end infrastructure. Also, running a penetration test against that infrastructure, without permission, would be illegal.

In addition, the app's source code has not been released. Many experts say releasing the code would help bolster the public’s confidence in the app.

In the run-up to the app’s release, the government had suggested that it would release the source code, but then demurred. Allowing public scrutiny of the source code, however, would provide public visibility into how an app runs, and allow experts to pinpoint unknown or undisclosed technological problems or privacy issues.

COVIDSafe uses Bluetooth to detect other phones, likely to within about 1.5 meters (5 feet).

On Sunday, a group of 75 academics and industry experts released a letter asking the Australian government to release the source code and give them five days to examine the code before releasing it on to the public.

“There is no need for secrecy here: this is not a commercial app,” the letter states. “Secrecy only helps the virus. Secrecy in the time of COVID-19 is not a recipe for public trust. Trust requires transparency.”

Some developers say the Android app code can already largely be viewed. Matthew Robbins, who founded MFractor, which is a development tool for Xamarin - an open source platform for building mobile apps - tweets that the Android version of COVIDSafe isn’t obfuscated and can be decompiled “to a level almost as good as having the original source code.”

“They [the Australian government] may not have released the source code, but there is a clear intent of transparency displayed by not obfuscating it,” Robbins writes.

Furthermore, the government likely plans to significantly refine the code in the coming weeks, says Mike Cannon-Brookes, a well-known Australian technology luminary who's co-CEO of Atlassian. The government “is obviously operating with extreme urgency to get the app out,” he says in a note posted to Hacker News.

Privacy Risks

Australia’s app is similar to Singapore’s TraceTogether app, which uses Bluetooth for proximity detection. Phones that are running the app send a Bluetooth “beacon” once per minute.

When two people have contact - which is defined in the app as being within 1.5 meters (5 feet) of someone else for at least 15 minutes - the phones exchange encrypted IDs. The encrypted IDs, referred to as "UniqueIDs" in COVIDSafe, contain the name under which someone registered the app and their phone number.

But a group of privacy and security experts see privacy risks with the UniqueID system. UniqueIDs get generated from a central server and downloaded to phones running COVIDSafe, but only every two hours, as compared with Singapore’s TraceTogether, which changes an ID every 15 minutes, the group notes in a GitHub post they published on Monday.

The problem with using the same ID for longer period of time is that it increases the potential for third-party tracking, or other devices picking up the same ID, independent researchers Chris Culnane, Eleanor McMurtry, Robert Merkel and cryptologist Vanessa Teague warn in their post.

Also, they found that COVIDSafe records the exact model of phone that someone uses, but doesn’t encrypt that information. "Although it may seem innocuous, the exact phone model of a person's contacts could be extremely revealing information," they write, for example, by making it easier to track or even exploit them.

The encrypted contact logs remain on the phone unless one party tests positive for COVID-19. In that instance, health officials will supply a PIN to the person who is infected that allows them to voluntarily upload their contacts log. The log includes 21 days of information and will be kept in the National COVIDSafe Data Store, which is hosted on an Amazon Web Services instance in Australia.

The IDs can then be decrypted so other at-risk people can be identified. Health officials in each state and territory will then telephone those contacts as part of manual contract-tracing efforts.

In the open letter released last Monday signed by Teague and hundreds of other researchers and scientists, one concern was that collecting and storing so much information - in Amazon's cloud, for Australia's app - would leave users at risk. For example, such data could be inadvertently exposed, or breached by attackers.

Illegal to Decrypt IDs

In Australia, for anyone other than health officials, decrypting contact-tracing app data stored in the cloud is now illegal because Health Minister Greg Hunt on Saturday added a provision to the Biosecurity Act making it illegal to improperly disclose data collected by the app or even to try to decrypt the data stored within it. Passing a law won't necessarily prevent cybercriminals or foreign intelligence services from meddling with the system, but would be a domestic deterrent.

It also mandates that after the pandemic is considered over, the data in the National COVIDSafe Data Store be deleted. That’s one of the strongest controls around COVIDSafe, says Melanie Marks, principal of the Sydney-based privacy and cybersecurity consultancy elevenM.

But there is a concern there. States and territories will have access to decrypted IDs in order to contact people. The federal government has said it will see agreements with local governments to ensure data they hold will not be used for other purposes.

“Right now it is unclear what this arrangement will look like, how it will be overseen and how it will offer redress for individuals who have been wronged,” Marks says.

The Australian government has said it plans next to month to pass legislation making any data collected by the app off limits to other government agencies, including law enforcement.

The government has also released a privacy impact assessment commissioned by the Department of Health. The assessment lauds developers for taking a privacy-by-design approach, rather than attempting to address privacy concerns later, which is less effective. While noting that developers have made additional, unspecified changes since the report was prepared, it also highlights further work that could be done, such as releasing the app’s source code, strengthening legislation around it and improving communication with the public.

Now that the Australian government's COVIDSafe app has been released, of course, it's up to the public to decide if they trust it, and if they will download and use it. It also remains to be seen whether the app will work as intended- and whether the government's decision to take a centralized approach to collecting and storing Australians' data was the right one (see: COVID-19 Contact-Tracing App Must-Haves: Security, Privacy).

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.