New tool spots security issues with Covid tracing apps

A team of researchers has developed a tool to identify risks associated with Covid-19 contact tracing apps.

“COVIDGuardian”, the first automated security and privacy assessment tool, tests contact tracing apps for potential threats such as malware, embedded trackers, and private information leakage.

Using the “COVIDGuardian” tool, cybersecurity experts from Queen Mary University of London assessed 40 Covid-19 contact tracing apps that have been employed worldwide for potential privacy and security threats.

They found that 72.5 percent of the apps use at least one insecure cryptographic algorithm.

“Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase. While most apps were free of malware, the Kyrgyzstan app ‘Stop Covid-19 KG’ was discovered to have malware,” the researchers said in a paper scheduled to be presented at the virtual International Conference on Software Engineering in May.

“With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly we found that this had resulted in some relatively mainstream security bugs being introduced worldwide,” said Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London.

Some of the most common risks related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.

“Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained,” Tyson said.

To support this work the researchers also performed a survey involving over 370 individuals to understand the likelihood that they would use a contact tracing app and highlight concerns around their use.

The results suggested that the privacy and accuracy of contact tracing apps had the biggest impact on whether individuals would use the app.