A privacy flaw in the Android version of Apple and Google’s COVID-19 exposure notification app potentially allowed other preinstalled apps to see sensitive data, including if users had contact with a COVID-positive person. Google is now working on rolling out a fix.
Privacy analysis firm AppCensus first noticed the bug in February and reported it to Google. However, according to The Markup, Google failed to address it at the time. The bug goes against multiple promises made by Apple CEO Tim Cook, Google CEO Sundar Pichai, and several public health officials that the data collected from the exposure app would not be shared beyond an individual’s device.
“The fix is a one-line thing where you remove a line that logs sensitive information to the system log. it doesn’t impact the program, it doesn’t change how it works,” said Joel Reardon, co-founder and forensics lead of AppCensus in the same interview with The Markup. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”
The article also shared a quote from Google spokesperson José Castañeda, who stated “We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this.”
In order for the exposure notification system to work, it needs to ping anonymized Bluetooth signals of devices with the system activated. Then, in the event one of the users tests positive for COVID-19, it works with health authorities to send an alert to other users who came into contact with that person with corresponding signals that are logged in the phone’s memory.
The issue is that, on Android phones, contract-tracing data is logged in privileged system memory. While most of the apps and software running on these devices don’t have access to this, apps that are preinstalled by manufactures like Google or LG or Verizon do have special system privileges that allow them to potentially access these data logs, making them vulnerable.
AppCensus has found no indications that any preinstalled apps have collected data, however, nor did it find this to be the case with the exposure notification system on iPhones. The company’s Chief Technology Officer, Serge Egelmen, emphasized on Twitter that the bug is an implementation issue and not the fault of the exposure notification system and that it should damage the public’s trust in public health technologies.
via The Verge