Skip to content

Instantly share code, notes, and snippets.

@ghuntley
Created June 30, 2020 12:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ghuntley/8630e77c6e737085877a73a81a5f1b0e to your computer and use it in GitHub Desktop.
Save ghuntley/8630e77c6e737085877a73a81a5f1b0e to your computer and use it in GitHub Desktop.
From: Media <media@adelaide.edu.au>
Sent: Tuesday, 30 June 2020 3:07 PM
To: Media <media@adelaide.edu.au>
Subject: MEDIA RELEASE: Australia’s COVIDSafe app among safest in the world
 
MEDIA RELEASE
Tuesday 30 June 2020
Australia’s COVIDSafe app among safest in the world
Australia’s COVIDSafe tracing app is one of the best and safest apps of its kind in the world, according to University of Adelaide cybersecurity experts who have been exploring the vulnerabilities of people-tracing apps.
A team from the University of Adelaide’s School of Computer Science has made the claim after assessing 34 of the world’s COVID-19 contact tracing apps for security and privacy vulnerabilities.
The team studied Android device tracing apps that have had more than 10,000 downloads each in different countries, as well as apps recommended by official authorities.
The results of the study can be found here: https://arxiv.org/abs/2006.10933
Associate Professor Damith Ranasinghe from the University of Adelaide’s School of Computer Science says most COVID-19 contact tracing apps are vulnerable to malicious attacks, contain trackers and could, if hacked, create false data about the incidence of cases.
“Australia’s COVIDSafe app is currently well designed. Since its release on 14 April 2020, developers across the nation have continually improved its security,” Associate Professor Ranasinghe says.
“Everyone in Australia should be using the COVIDSafe app, in our opinion. It’s one of the best of its kind anywhere in the world today.
“While COVIDSafe is one of the safest, if not the safest tracing app, not all tracing apps are as good.
“About 70% of the apps in our sample pose potential security risks. This is because either their cryptographic algorithms used for securing data are insecure, or not best practice, or because they store sensitive information in clear text that could be potentially read by attackers.
“Over 60% of the apps posed vulnerabilities through manifest weaknesses such as allowing permissions for backups to be made, which could allow unencrypted data to be copied.
“We identified that approximately 75% of the apps contain at least one tracker, such as Google or Facebook trackers, these trackers collect information about people’s activities on their mobile devices. This private information could be given to third parties.
“It is possible to carry out a so-called replay attack, in which a malicious user can replay valid identifiers to redirect all the traffic from one place to another to virtually or digitally alter the footprint of the contact. This could result in the targeted area being incorrectly locked-down due to false information.”
Contact tracing apps operate by recording prolonged and close proximity interactions between individuals by using proximity sensing methods such as Bluetooth. The apps speed up the process of finding people who have been in close contact with someone infected with COVID-19. An app can only catch interactions between people who have installed it, so public buy-in is key to the app’s effectiveness.
“As part of our assessment of the vulnerabilities of apps currently being used, we identified a potential malicious attack scenario and proposed an idea to mitigate such a risk,” says Dr Jason Xue, from the University of Adelaide’s School of Computer Science.
“We informed all the app developers and related stakeholders on 23 May 2020 about the vulnerabilities so that they have the opportunity to update the apps.
"We recently re-checked all of these apps and found that all potential privacy leakage on three apps – TraceTogether (Singapore), BlueZone (Vietnam), STOP COVID19 CAT (Spain) – has been fixed. Additionally, all the trackers of the app, Mysejahtera (Malaysia), have been removed and the vulnerable app, Contact Tracer (USA), is no longer available in Google Play Store.
“In the latest version of COVID Safe, developers have encrypted its local database which is stored in the phone, so that even if data is breached, the attacker will not be able to decrypt the data.
“A further improvement we have suggested is to detect the so-called rooting of a device in which a malicious actor tries to evade the protections provided to the app from the operating system of your mobile phone.
“Our study can provide useful insights for governments, developers and researchers in the software industry to develop secure and privacy-preserving contact tracing apps. We hope the results and the proposed contact tracing approach will contribute to increasing the trustworthiness of solutions to respond to infectious diseases now and in the future.
“As our next step, we are planning to examine any vulnerabilities associated with iOS apps.”
The University of Adelaide is a leader in cybersecurity education and research, and has a strategic industry focus on defence, cyber and space.
 
 
Media contacts:
Associate Professor Damith Ranasinghe, School of Computer Science, The University of Adelaide. Mobile: +61 (0)477 880 164, Email: damith.ranasinghe@adelaide.edu.au
Dr Jason Xue, Lecturer, School of Computer Science, The University of Adelaide. Mobile: +61 (0)420 378 228, Email: jason.xue@adelaide.edu.au
Crispin Savage, Senior Communications and Media Officer, The University of Adelaide. Mobile: +61 (0)481 912 465, Email: crispin.savage@adelaide.edu.au
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment