This Android bug was discovered on the COVID-19 exposure notification system.
In 2020, Apple and Google revealed their collaborative project that could help in reducing the spread of coronavirus. Both tech giants promised that the Apple and Google Exposure Notification system would be privacy-respecting.
Unfortunately, it’s not the case on Android.
Researchers from AppCensus Discovered the Bug
When the said project was revealed, both Google and Apple assured that the data gathered through the system would be anonymized.
Furthermore, they promised that the data wouldn’t be shared with anyone. Public health agencies could access them.
Even the governor of California, Gavin Newsom, endorsed it and described it as 100% private and secure.
However, AppCensus, which is a privacy analysis firm, would disagree.
The firm tested it as part of its contract with the Department of Homeland Security. Its researchers found a privacy flaw in the contract tracing tool.
The firm alerted Google about it in February of this year. However, Google didn’t change it for some reason.
Interestingly, it didn’t find similar issues with the iOS version.
According to AppCensus, the COVID-19 tracking apps utilize the exposure notification system.
This will help in alerting users that they have been near infected individuals. The data gathered are stored in a privileged state on the system logs. Common apps can’t read the data.
But the firm stated that many pre-installed apps on Android have been given privileged status.
Thus, they could access additional permissions. Potentially, they could read exposure notification data.
Those apps could use these data to determine a user’s health status.
Google is saying that the logs would not leave the device. But the firm said that Google should not make that claim because it wouldn’t know whether or not these preinstalled apps are gathering system logs.
Fortunately, there’s no proof yet that those preinstalled apps gathered any of the data. The Bluetooth identifiers don’t reveal the user’s location or identifying data.
If a user is identified as testing positive for COVID-19, then that’s the time that the data would be shared with public health authorities.
Google’s privacy officers emphasized that storing and processing the data are done on devices and not on servers. This will protect the user’s privacy.
Easy to Fix
The firm was quick to point out that the Android bug isn’t a privacy issue. Instead, it’s an issue on how Google implements the system on Android.
The research firm also added that it’s a fixable problem. Google can stop unnecessary logging of exposure data to devices ASAP.
The Markup reported that Google is already working on a solution. It’s still ongoing though. Google didn’t state anything on when the solution will roll out to the public.
Google offers a program that pays researchers in finding security flaws with its services. But it will only pay the company if the flaw is serious enough.
It seems like Google didn’t consider the findings of AppCensus to have met its standards.
In that case, Google thinks that the flaw isn’t serious enough to warrant a reward.