Highlights from a COVIDSafe App teardown

The Australian government has released the APK files of the #COVIDSafe application, the country’s official contact tracing app that was based on Singapore’s OpenTrace code. Some volunteers have done a teardown of this APK to audit for any security/privacy concerns related to the solution, a video of which is linked below:

I have taken the liberty of highlighting some “under the hood” technical points made by the presenters that I found notable, particular in light of my interest in translating privacy by design ideals into concrete technical implementation. The hope is that developers in a position to design such solutions can use such ideas as inspiration for their own designs.

1.) The data generated by the user’s phone is stored on the device and is accessible only by the COVIDSafe app.

• Proof 1.1: No physical file path is specified in the arguments of the Room.databaseBuilder method.
• Proof 1.2: No presence of the READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE permissions in the AndroidManifest.xml file

2.) GPS-based location tracking is not used but is required to be asked as a permission because Android requires them to when using Bluetooth technology. The app uses Bluetooth to collect the ff: signal strength, randomly generated UUID, phone’s bluetooth address, but NOT the device name. Note: Bluetooth protocols do not have parameters for distance. Ergo, the calculation for location is done via server-side processing using the collected information.

• Proof: The presence of the followings methods: scanResult.getDevice(), scanResult.getRssi(), scanResult.getTxPower(). Meanwhile, the method setIncludeDeviceName is set to false.

3.) The app looks only for a particular kind of Bluetooth device, hence it will ignore the noise (which in this case, is other forms of Bluetooth-enabled devices)

• Proof: The presence of the method addServiceUiid()

4.) Uses the public-key encryption technique, where only the government-controlled AWS server can decrypt the data being uploaded. Note: Uploads are done only on the user’s request after being notified of being positive for the virus.

• Proof: Presence of .pem files in methods associated with file uploads.

5.) Application stores data for a maximum of 21 days.

• Proof: Presence of AlarmManager class and java.util.Calendar that triggers a DELETE query on the SQLite database

Some links shared by the presenters

1. The APK file of the COVIDSafe app along with the jadx decompiler in order to view the code underneath.
2. Reference for Singapore’s OpenTrace
3. A blog post offering a more critical opinion of both the OpenTrace and COVIDSafe applications.