App Census Study Reveals that Android Devices Leak User Data Stored in Contact Tracing Applications

 

According to security experts, hundreds of third-party applications on Android devices have access to confidential information collected by Google and Apple API contact-tracking devices. The Department of Homeland Security provided about $200,000 to App Census, a U.S. start-up that specializes in data protection practices in Android applications, earlier this year for testing and validating the reliability of contact tracking apps. 

The researchers of the business observed that the primary contact tracking information inside the device's system logs are recorded by Android Phones logging data from applications that use Google and Apple's Exposure Notifications System (ENS), that is used for collecting details, and usually where applications receive usage analytics and malfunction reports data. 

In an effort to assist medical authorities around the globe to develop contact tracing apps associated with the data protection requirement underlying the Android and iOS ecosystems, Google and Apple jointly launched ENS last year. API built by Apple and Google allows governments to build decentralized Bluetooth-based contact tracking software. 

The app-equipped devices send confidential, regularly changing IDs, known as RPIs, that are diffused via Bluetooth in such a way that nearby telephones that also use the application can be "heard". 

The observations of App Census reveal that the two Tech Giants' privacy pledge has certain deficiencies. Both transmitted and heard RPIs can indeed be identified in the machine logs of Android phones – as well as the device even records the existing Bluetooth MAC address of the destination server on RPIs that have been heard. Thus App Census found many ways of using and computing datasets to conduct data protection attacks since the RPI and the Bluetooth MAC addresses are unique and anonymized.

"Of course, the information has to be logged somewhere to do the contact-tracing, but that should be internally in the ENS," Gaetan Leurent, a researcher at the French National Institute for Research in Digital Science and Technology (INRIA), stated. "It is unsettling that this information was stored in the system log. There is no good reason to put it there." 

The RPIs could have been used along with different pieces of datasets to determine that whether users checked for COVID-19 positively, whether they had contacted an infectious individual or whether two persons met each other with access to device registers from multiple users. It is meant to preserve privacy in the contact tracing process, and precisely this type of data should be avoided. Therefore, the entire defense which should form the foundation of this protocol is defeated. 

A Google spokesperson told: "We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code." 

The spokesman added that these Bluetooth identifications neither disclose the location of a customer nor provide any other identifying details, and also they are not aware that they were used in any manner. As per Google, roll started many weeks ago with the upgrade on Android devices and is due to be completed in the coming days. Previous publications of the researcher have shown that irrespective of implementation, the use of digital technology for contact tracking would necessarily present a risk to privacy.