The Android version of Google and Apple’s COVID-19 contact notification app had a privacy flaw. It allowed other pre-installed apps to potentially see sensitive data, including if someone came into contact with a person who tested positive for COVID-19, reports ITC.
This error conflicts with repeated promises from Google CEO Sundar Pichai, Apple CEO Tim Cook and numerous healthcare officials that the data collected by the interaction notification program cannot be transferred outside the user’s device.
AppCensus notified Google of the vulnerability back in February, but the search giant was unable to fix it. Although, according to an AppCensus employee, fixing the problem will be as easy as removing a few nonessential lines of code.
Google spokesman Jose Castaneda said the company is currently working on fixing the bug:
“We were notified of an issue where Bluetooth IDs were temporarily available to certain system-level applications for debugging purposes, and we immediately began rolling out a fix to address this issue.”
The interaction notification system works by sending anonymous Bluetooth signals between the user’s smartphone and other smartphones with the system activated. Then, if someone using the app tests positive for COVID-19, they can work with health authorities to send an alert to any smartphones with the appropriate alarms registered in the device’s memory.
On Android smartphones, contact tracking data is written to privileged system memory, where it is not available to most running applications. But apps that are natively preinstalled by manufacturers are given special system privileges that allow them to access these logs, putting sensitive contact tracing data at risk. As of now, there is no indication that any apps actually collected this data, notes NIX Solutions.
“The issue is implementation-related, not disclosure notification system,” said Serge Egelman, CTO of AppCensus.
The analysis found no similar issues with the interaction notification system on the iPhone.