Australia鈥檚 COVIDSafe app among safest in the world
Australia鈥檚 COVIDSafe tracing app is one of the best and safest apps of its kind in the world, according to 成人大片 cybersecurity experts who have been exploring the vulnerabilities of people-tracing apps.
A team from the 成人大片鈥檚 School of Computer Science has made the claim after assessing 34 of the world鈥檚 COVID-19 contact tracing apps for security and privacy vulnerabilities.
The team studied Android device tracing apps that have had more than 10,000 downloads each in different countries, as well as apps recommended by official authorities.
鈥淓veryone in Australia should be using the COVIDSafe app, in our opinion. It鈥檚 one of the best of its kind anywhere in the world today."Associate Professor Damith Ranasinghe
The results of the study can be found here:
Associate Professor Damith Ranasinghe from the 成人大片鈥檚 School of Computer Science says most COVID-19 contact tracing apps are vulnerable to malicious attacks, contain trackers and could, if hacked, create false data about the incidence of cases.
鈥淎ustralia鈥檚 COVIDSafe app is currently well designed. Since its release on 14 April 2020, developers across the nation have continually improved its security,鈥 Associate Professor Ranasinghe says.
鈥淓veryone in Australia should be using the COVIDSafe app, in our opinion. It鈥檚 one of the best of its kind anywhere in the world today.
鈥淲hile COVIDSafe is one of the safest, if not the safest tracing app, not all tracing apps are as good.
鈥淎bout 70% of the apps in our sample pose potential security risks. This is because either their cryptographic algorithms used for securing data are insecure, or not best practice, or because they store sensitive information in clear text that could be potentially read by attackers.
鈥淥ver 60% of the apps posed vulnerabilities through manifest weaknesses such as allowing permissions for backups to be made, which could allow unencrypted data to be copied.
鈥淲e identified that approximately 75% of the apps contain at least one tracker, such as Google or Facebook trackers, these trackers collect information about people鈥檚 activities on their mobile devices. This private information could be given to third parties.
鈥淚t is possible to carry out a so-called replay attack, in which a malicious user can replay valid identifiers to redirect all the traffic from one place to another to virtually or digitally alter the footprint of the contact. This could result in the targeted area being incorrectly locked-down due to false information.鈥
Contact tracing apps operate by recording prolonged and close proximity interactions between individuals by using proximity sensing methods such as Bluetooth. The apps speed up the process of finding people who have been in close contact with someone infected with聽COVID-19. An app can only catch interactions between people who have installed it, so public buy-in is key to the app鈥檚 effectiveness.
鈥淎s part of our assessment of the vulnerabilities of apps currently being used, we identified a potential malicious attack scenario and proposed an idea to mitigate such a risk,鈥 says Dr Jason Xue, from the 成人大片鈥檚 School of Computer Science.
鈥淲e informed all the app developers and related stakeholders on 23 May 2020 about the vulnerabilities so that they have the opportunity to update the apps.
"We recently re-checked all of these apps and found that all potential privacy leakage on three apps 鈥 TraceTogether (Singapore), BlueZone (Vietnam), STOP COVID19 CAT (Spain) 鈥 has been fixed. Additionally, all the trackers of the app, Mysejahtera (Malaysia), have been removed and the vulnerable app, Contact Tracer (USA), is no longer available in Google Play Store.
鈥淚n the latest version of COVID Safe, developers have encrypted its local database which is stored in the phone, so that even if data is breached, the attacker will not be able to decrypt the data.
鈥淎 further improvement we have suggested is to detect the so-called rooting of a device in which a malicious actor tries to evade the protections provided to the app from the operating system of your mobile phone.
鈥淥ur study can provide useful insights for governments, developers and researchers in the software industry to develop secure and privacy-preserving contact tracing apps. We hope the results and the proposed contact tracing approach will contribute to increasing the trustworthiness of solutions to respond to infectious diseases now and in the future.
鈥淎s our next step, we are planning to examine any vulnerabilities associated with iOS apps.鈥
The 成人大片 is a leader in cybersecurity education and research, and has a strategic industry focus on defence, cyber and space.
Media contacts:
Associate Professor Damith Ranasinghe
School of Computer Science
The University of Adelaide
Mobile: +61 (0)477 880 164
Email: damith.ranasinghe@adelaide.edu.au
Dr Jason Xue
Lecturer, School of Computer Science
The 成人大片
Mobile: +61 (0)420 378 228
Email: jason.xue@adelaide.edu.au
Crispin Savage
Senior Communications and Media Officer
The 成人大片
Mobile: +61 (0)481 912 465
Email: crispin.savage@adelaide.edu.au