Hundreds of third-party apps in Android devices were given access to sensitive data logged by contact-tracing apps built on Google and Apple’s API, according to security researchers.
AppCensus, a US-based start-up that specializes in analyzing the privacy practices of Android apps, was granted almost US$200,000 by the US Department of Homeland Security earlier this year to test and validate the reliability of contact-tracing apps.
The company’s researchers found that Android phones logging data from apps using Google and Apple’s Exposure Notifications System (ENS) were recording key contact-tracing information within the device’s system logs – which is used for debugging purposes, and is normally where apps receive information about user analytics and crash reports.
They noted tat not all apps can read system logs; but in Android, Google allows some hardware manufacturers, network operators and commercial partners to pre-install “privileged” apps. Part of the privilege is access to system logs.
The researcher, for instance, revealed that in Samsung Galaxy A11, 89 apps are allowed to read system logs, while 54 apps are allowed to do same in Xiaomi Redmi Note 9.
“They are now receiving users’ medical and other sensitive information as a result of Google implementation,” said AppCensus co-founder and forensics lead, Joel Reardon in a blog post.
How Google and Apple ENS exposes us
Google and Apple jointly released ENS last year, as a way of assisting health authorities around the world in building contact-tracing apps compatible with the privacy imperative that, according to both companies, underpins the Android and iOS ecosystems.
The API developed by Apple and Google enables governments to create decentralized contact-tracing apps that rely on Bluetooth signals.
Devices fitted with the app emit anonymous identifiers that change periodically, called rolling proximity identifiers (RPIs), which are broadcast through Bluetooth so that they can be “heard” by surrounding phones that are also using the app. As well as broadcasting RPIs, therefore, handsets also log all the RPIs that they hear.
If a user later tests positive for COVID-19, the health authorities issue a list of all the RPIs attached to that user’s phone. On each device, a comparison is drawn between the list of infectious RPIs and those logged by the app, and a notification is issued to the user if a risky contact is detected.
All of the match-making is carried out locally on the phone, and in principle, no data should leave the device unless a user decides to share with health services that they have tested positive for COVID-19. This is why Google and Apple call their system decentralized, and have pitched ENS as protecting privacy by design.
A large number of users have now downloaded contact-tracing apps that were created thanks to Apple and Google’s ENS. In the UK, the NHS COVID-19 app was downloaded over 21 million times, for instance, while Germany’s CoronaWarn app is used by over 25 million residents.
In Ghana, the then Communications Minister, Ursula Owusu Ekuful boasted of over a 100,000 downloads of the Ghana Covid-19 Tracker App within just days.
AppCensus’s findings now show that the privacy promise made by the two tech giants has some shortcomings. Reardon and his team found that both RPIs that are broadcast and those that are heard can be found in Android phones’ system logs – and for the RPIs that were heard, the device also logs the current Bluetooth MAC address of the sending device.