The Android version of Google and Apple’s COVID-19 exposure notification app had a privacy flaw that let other preinstalled apps potentially see sensitive data, including if someone had been in contact with a person who tested positive for COVID-19, privacy analysis firm AppCensus revealed on Tuesday. Google says it’s currently rolling out a fix to the bug.
The bug cuts against repeated promises from Google CEO Sundar Pichai, Apple CEO Tim Cook, and numerous public health officials that the data collected by the exposure notification program could not be shared outside of a person’s device.
AppCensus first reported the vulnerability to Google in February, but the company failed to address it, The Markup reported. Fixing the issue would be as simple as deleting a few nonessential lines of code, Joel Reardon, co-founder and forensics lead of AppCensus, told The Markup. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that,” Reardon said.
Updates to address the issue are “ongoing,” Google spokesperson José Castañeda said in an emailed statement to The Markup. “We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this,” he said.
The exposure notification system works by pinging anonymized Bluetooth signals between a user’s phone and other phones that have the system activated. Then, if someone using the app tests positive for COVID-19, they can work with health authorities to send an alert to any phones with corresponding signals logged in the phone’s memory.
On Android phones, the contract tracing data is logged in privileged system memory, where it’s inaccessible to most software running on the phone. But apps that are preinstalled by manufacturers get special system privileges that would let them access those logs, putting sensitive contact-tracing data at risk. There is no indication any apps have actually collected that data at this point, Reardon said.
Preinstalled apps have taken advantage of their special permissions before — other investigations show that they sometimes harvest data like geolocation information and phone contacts.
The analysis did not find any similar issues with the exposure notification system on iPhone.
The problem is an implementation issue and not inherent to the exposure notification framework, Serge Egelman, the chief technology officer at AppCensus, said in a statement posted on Twitter. It should not erode trust in public health technologies. “We hope the lesson here is that getting privacy right is really hard, vulnerabilities will always be discovered in systems, but that it’s in everyone’s interest to work together to remediate these issues,” Egelman said.