Researchers flag concern around implementation of contact tracing apps, citing possibilities of device traceability, personal data compromise, app traffic interception, and fake health reports
- GPS can give away sensitive information, revealing users’ travels and locations over previous few days or weeks
- Bluetooth Low Energy (BLE) can be used to track a person’s device
- In order to preserve user anonymity, no personal identifiers (phone number, name, IDs etc) should be associated with the application at any time
Security researchers at Check Point are closely examining contact tracing apps. After initial review, they have flagged a number of concerns over how contact tracing applications are implemented. Researchers outlined their concerns in four:
- Devices can be traced.As some contact tracing applications rely on Bluetooth Low Energy (BLE), devices broadcast handshake packets that facilitate identification of contact with other devices. If not implemented correctly, hackers can trace a person’s device by correlating devices and their respective identification packets.
- Personal data can be compromised.Naturally, applications store contact logs, encryption keys and other sensitive data on devices. Sensitive data should be encrypted and stored in the application sandbox and not on shared locations. Even within the sandbox, gaining root privileges or physical access to the device, could compromise the data, more so if such sensitive information as GPS locations are stored.
- Interception of an application’s traffic.Users can be susceptible to “man-in-the-middle” attacks and the interception of the application’s traffic if all communications with the application backend server are not properly encrypted.
- Flooding of fake health reports possible. Researchers say it is important that contact applications perform authentication when information is submitted to its servers, such as when a user posts their diagnosis and contact logs. Without proper authorization in place, it could be possible to flood the servers with fake health reports, undermining the reliability of the whole system.
Check Point will continue researching contact tracing applications and their frameworks.
How to Stay Protected:
- Download from official stores only. Install contact-tracing COVID-19 applications from official app stores, since they only allow authorized government agencies to publish such apps.
- Use mobile security solutions. Download and install a mobile security solution to scan applications and protect the device against malware, as well as verify that the device has not been compromised.
Quote: Jonathan Shimonovich, Manager of Mobile Research:
“The jury is still out on how safe contact tracing apps are. After initial review, we have some serious concerns. Contact tracing apps must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users’ data at risk. This comes down to questions on what data is collected, how it is stored and, ultimately how it is distributed.”