Buying Guides
by Review Geek

Browse All Buying Guides
How-to Geek Best Of Badge Award

Reader Favorites

8 Best Wireless Mechanical Keyboards
5 Best Places to Buy Vinyl Records Online
8 Best Hot Swappable Mechanical Keyboards
Apps to Share Your Location with Family
The 5 Best Trip Planning Apps
The Best Multi-Device Mice and Keyboards for Power Users
7 LEGO Alternatives That Still Work With LEGO Bricks

More from Review Geek

Browse All Buying Guides
Browse All Latest News

Review Geek Editorials

Why Everyone Needs to Stock up on Power Banks
I Switched to a Galaxy S21 and I Hate It
I Tried Carvana: It Was Worse Than The Dealer
Don't Buy an Electric Riding Lawn Mower
Why We Can't Recommend Wyze or eufy Cameras
Don't Buy This Fake 16TB Portable Hard Drive
You Don't Really Ever Own an EV

More from Review Geek

Browse All Reviews
Browse All Buying Guides
How-to Geek Editor Choice Badge Award

Across LifeSavvy Media

FROM LIFESAVVY
BedJet 3 Review: Personalized Bed Climate Control Made Easy
BlendJet 2 Portable Blender Review: Power on the Go
FROM HOW-TO GEEK
Onyx BOOX Tab Ultra C Review: Tempting E-Paper Tablet With Shortcomings
Samsung Galaxy S23 Ultra Review: Practical Perfection With a Hint of Restraint
We select and review products independently. When you purchase through our links we may earn a commission. Learn more.
X
Popular Searches
News

An Android Bug Let Some Apps Improperly Access COVID-19 Tracing Data

Suzanne Humphries
Suzanne Humphries
Former Commerce Editor

Suzanne Humphries was a Commerce Editor for Review Geek. She has over seven years of experience across multiple publications researching and testing products, as well as writing and editing news, reviews, and how-to articles covering software, hardware, entertainment, networking, electronics, gaming, apps, security, finance, and small business. Read more...

About Review Geek

| 1 min read
Google Android figure standing on laptop keyboard with code in background
quietbits/Shutterstock.com

A privacy flaw in the Android version of Apple and Google’s COVID-19 exposure notification app potentially allowed other preinstalled apps to see sensitive data, including if users had contact with a COVID-positive person. Google is now working on rolling out a fix.

Privacy analysis firm AppCensus first noticed the bug in February and reported it to Google. However, according to The Markup, Google failed to address it at the time. The bug goes against multiple promises made by Apple CEO Tim Cook, Google CEO Sundar Pichai, and several public health officials that the data collected from the exposure app would not be shared beyond an individual’s device.

“The fix is a one-line thing where you remove a line that logs sensitive information to the system log. it doesn’t impact the program, it doesn’t change how it works,” said Joel Reardon, co-founder and forensics lead of AppCensus in the same interview with The Markup. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”

The article also shared a quote from Google spokesperson José Castañeda, who stated “We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this.”

Hands holding Android phone and iPhone together displaying their logos, respectively
Daria Nipot/Shutterstock.com

In order for the exposure notification system to work, it needs to ping anonymized Bluetooth signals of devices with the system activated. Then, in the event one of the users tests positive for COVID-19, it works with health authorities to send an alert to other users who came into contact with that person with corresponding signals that are logged in the phone’s memory.

The issue is that, on Android phones, contract-tracing data is logged in privileged system memory. While most of the apps and software running on these devices don’t have access to this, apps that are preinstalled by manufactures like Google or LG or Verizon do have special system privileges that allow them to potentially access these data logs, making them vulnerable.

AppCensus has found no indications that any preinstalled apps have collected data, however, nor did it find this to be the case with the exposure notification system on iPhones. The company’s Chief Technology Officer, Serge Egelmen, emphasized on Twitter that the bug is an implementation issue and not the fault of the exposure notification system and that it should damage the public’s trust in public health technologies.

via The Verge

Suzanne Humphries Suzanne Humphries
Suzanne Humphries was a Commerce Editor for Review Geek. She has over seven years of experience across multiple publications researching and testing products, as well as writing and editing news, reviews, and how-to articles covering software, hardware, entertainment, networking, electronics, gaming, apps, security, finance, and small business. Read Full Bio »