Google’s COVID contact tracing application may have leaked data

Shane McGlaun - Apr 28, 2021, 6:43am CDT
Google’s COVID contact tracing application may have leaked data

Something that Google and other giant tech companies pushed heavily during the COVID-19 pandemic was an application that could attract contacts to help warn those who may have been exposed to the virus. When the app was unveiled, Google promised that it was completely private, but researchers have now discovered that it wasn’t as private as Google led us to believe after all. According to the researchers, hundreds of preinstalled apps on smartphones and other devices could access a log found on Android devices where sensitive contact tracing information is stored.

Researchers say that Google assured users that data generated using their apps, including people’s movements, who they may have come in contact with, and whether they reported testing positive for COVID-19, was anonymized and wouldn’t be shared with anyone other than health agencies. Since the apps became available, millions of people around the world have downloaded them.

As it turns out, the apps aren’t as secure or private as Apple and Google would lead you to believe, particularly in the Android version. In the android version, a privacy flaw was discovered by researchers from privacy analytics firm AppCensus. The analytics company alerted Google of the problem in February of this year but said Google failed to fix it.

When the flaw was discovered, AppCensus was testing the system as part of a contract with the Department of Homeland Security. The company is clear that no privacy issues were found with the iPhone version of the contact tracing framework. Many will be upset that Google failed to patch the issue in its Android app because, according to the researchers, it’s a one-line thing requiring programmers to remove the line that logs sensitive information to the system log.

They say the change wouldn’t impact the program or change how it works, making it an “obvious fix.” Google says they were notified of an issue where Bluetooth identifiers were temporarily accessible to specific system-level applications for debugging purposes and began to “immediately” rollout affix. When asked directly if the security issue had been repaired, a Google spokesperson told The Markup that the rollout of an update to Android devices began several weeks ago and would be complete “in the coming days.”


Must Read Bits & Bytes