CovidGuardian Overview

Introduction

We propose an automated security and privacy assessment tool - COVIDGuardian - which combines identification and analysis of Personal Identification Information (PII), static program analysis and data flow analysis, to determine security weaknesses and potential private information leakage. Furthermore, in light of our findings, we undertake a user study to investigate user concerns regarding contact tracing apps.

Motivation

The rapid spread of COVID-19 has made manual contact tracing difficult. Thus, various public health authorities have experimented with automatic contact tracing using mobile applications (or "apps"). These apps, however, have raised security and privacy concerns.

We hope that COVIDGuardian, and the issues raised through responsible disclosure to vendors, can contribute to the safe deployment of mobile contact tracing.

As part of this, we offer concrete guidelines, and highlight gaps between user requirements and app performance.

Research Questions

  • RQ1: What is the performance of our security and privacy assessment methodology, COVIDGuardian, compared to state-of-the-practice mobile app assessment tools?

  • RQ2: What is the security and privacy status of state-of-the-practice contact tracing apps?

  • RQ3: What is the robustness of state-of-the-practice contact tracing apps against potential security and privacy threats?

  • RQ4: What are the user concerns and requirements of contact tracing apps?

Contributions

  • We develop COVIDGuardian, the first automated security and privacy assessment tool that tests contact tracing apps for security weaknesses, malware, embedded trackers and private information leakage. COVIDGuardian outperforms 4 state-of-the-practice industrial and open-source tools.

  • We assess the security and privacy status of 40 worldwide Android contact tracing apps. We discover more than 50% of the apps pose potential security risks due to:

    • Employing cryptographic algorithms that are insecure or not part of best practice (72.5%);
    • Storing sensitive information in clear text that could be potentially read by attackers (55.0%);
    • Over 40% of apps pose security risks through Manifest weaknesses, e.g., allowing permissions for backup (hence, the copying of potentially unencrypted application data);
    • Further, we identify that approximately 75% of the apps contain at least one tracker, potentially causing serious privacy violations, i.e., data leaks that lead to exposing PII to third parties.

  • By reviewing the state-of-the-art, we identify four major privacy and security threats against contact tracing apps. Our threat analysis finds that apps adopting decentralized architectures are not necessarily more secure than those adopting centralized architectures (by our measures). We also conduct a user study involving 373 participants, to investigate user concerns and requirements. The survey results indicate that the tracing accuracy and potential privacy risks of apps are the two major concerns. Compared to users' expectations of accurate proximity recording and at-risk alerts, users are more likely to use contact tracing apps with better privacy by design.

  • We have disclosed our security and privacy assessment reports to the related stakeholders on 23 May 2020. We have received acknowledgements from numerous vendors, such as MySejahtera (Malaysia), Contact Tracer (USA), and Private Kit (USA). Our re-assessments confirms that their updates have addressed several of the issues identified.