Researchers from the Queen Mary University of London developed a tool that analyzes contact tracing apps for security and privacy issues.
“COVIDGuardian,” the tool in question, can find security weaknesses, potential privacy leaks, and malware.
Using the tool, the researchers analyzed 40 Covid-19 contact tracing apps and found 72.5% of them contain insecure cryptographic algorithms. The researchers presented their findings in a paper.
In one instance, an app contained malware. Stop COVID-19 KG, launched in mid-April and developed by the State Committee for IT and Communications of Kyrgyzstan, contained one security risk and one privacy risk: a variant of Android/DataCollector.Utilcode.A and an Adware (0053e0591).
Stop COVID19 KG has previously been a subject of privacy concerns and even a data breach in which an unauthorized individual managed to view patients’ data. At the time, the Civil Initiative on Internet Policy, a nongovernmental organization based in Kyrgyzstan capital Bishkek, has said the app was a “gross violation of legislation in the field of personal data protection and cybersecurity.”
In total, besides the malware in Stop COVID19 KG, the researchers from the Queen Mary University of London found 20 trackers, including Google Firebase Analytics, Google CrashLytics, and Facebook Analytics.
About 75% of the apps used at least one tracker. In the one extreme case, Contact Tracing (USA) app contained 8 trackers.
Following their findings, the researchers re-checked the apps and did regression testing. They found that all privacy issues in three apps — TraceTogether (Singapore), BlueZone (Vietnam), and STOP COVID19 CAT (Spain) — have been fixed. And Contact Tracer (USA) was taken down from the app store.
However, new vulnerabilities have been found in the updated versions of several apps. The researchers say this may mean that rushing to develop contact tracking apps, developers didn’t have time to follow proper quality assurance procedures.
The researchers notified all developers about the identified issues. But it’s unknown, whether the malware was removed from Stop COVID19 KG. The app is still available on the Play Store and to date, it was downloaded roughly 10K times – a relatively low figure. The researchers say that the vast majority of contact tracing apps downloaded from the Google Play Store are free of malware.
The issues above are not the only known security issues related to contact tracking apps. The rise of these apps has recently also attracted the interest of developers with malicious intent. In one case, ransomware posing as a contact tracing app targeted patients in Canada even before the app’s public release.