Community transmission is the thing that could set COVID-19 free in our country so to get the disease under control we need to prevent as much community transmission as possible. To do that the Australian Government yesterday released a tracking app called COVIDSafe. Two of the questions on everyone’s mind is “Is it safe?” and “Can we trust the government to keep our data safe?”, along with many more of course.
The questions are good questions and need to be asked, given our government’s penchant for sharing our data and using it for things other than it was intended for. After the app was released yesterday a couple of developers we follow on the socials decided to break it down.
First up we had @xssfox who tackled it from a security standpoint. He first noted that the UAT environment end point being leaked:
Covid 19 Tracking app thread. Will be looking into the app, might find stuff, might not.
First up, I've noticed that the UAT environment end point is accidentally leaked. pic.twitter.com/MxLa9LD66m
— xssfox (@xssfox) April 26, 2020
No location tracking is used, just Bluetooth and it switches between client (scanning) and server modes. This does not mean that they cannot roll out an update with more invasive tracking since location permissions are already granted — but you can be sure the security peeps will be all over this should the government try and pull a swift like that.
@xssfox was easily able to find the COVIDSafe Administration console which is a worry that it was that easy. In the end though @xssfox was generally fine with the app but was concerned a bit over the device-id being sent to API which could give you the same “temp” ID over and over again which might allow better tracking but be less secure.
Well that took all for 5 seconds to find. pic.twitter.com/5AaDuu9v8Q
— xssfox (@xssfox) April 26, 2020
So I'm generally fine with the app. The two minor things that concern me are:
– device-id is sent to API
– the API could give you the same "temp" id over and over again which might allow tracking; a better solution would be for the client to generate the ID— xssfox (@xssfox) April 26, 2020
Another Twitter developer, Matthew Robbins also decided to delve into the app from an app developers standpoint. He found that “COVIDSafe only picks up and records other phones that have given their permission to broadcast.” His final conclusion was that the app is “above board, very transparent and follows industry standard.”
The #covidsafe app is now available in Australia 😷
However, it's a shame that they have decided not to release the source code for full transparency.
Luckily, I'm a curious chap and also a professional mobile developer.
— Matthew Robbins (@matthewrdev) April 26, 2020
From what I can see, everything in the #covidsafe app is above board, very transparent and follows industry standard.
I'd interested in hearing perspectives on the app from my tech friends. Please chime in if you are also having a dig around and find something of note 😊
— Matthew Robbins (@matthewrdev) April 26, 2020
Interestingly the iOS version apparently requires the user to leave the app open and the screen — not good if you want a large proportion of the population to use it.
Big barrier #3 is then driven by the iOS version, which requires you to leave the app open and the screen on.
Given that the effectiveness requires 40% of the population to use, I can't see it even reaching 10% with this poor design.
COVIDSafe is going to be a massive failure.
— Tim Butler (@timbutler) April 26, 2020
While the app may have a few things that some may not like it seem to be generally well written and also secure. That may surprise some but you can be sure the Government made sure they go this right — get it wrong and they would most likely not get a second chance.
COVIDSafe appears to be safe at this stage to use it and we encourage people to install it to help keep themselves and others safe.
https://play.google.com/store/apps/details?id=au.gov.health.covidsafe
