Google and Apple presented their contact tracing system to combat the pandemic in spring 2020. In its initial statement of intent, the promise was privacy and security for all: “We understand that the success of this approach depends on people having confidence that their private information will be protected.” But in reality, for mobile users with the Android operating system, developed by Google, this has not been the case.
Contact tracing apps were supposed to help fight the pandemic. Millions of users downloaded national applications based on the Google and Apple system. In Europe, the United Kingdom, reluctant at first, has been the country with the highest penetration. Millions of Spaniards, Germans, Swiss, Italians or Belgians downloaded national versions of the system. However, its success, starting with the Spanish Radar Covid, has been relative.
Now also a privacy company AppCensus research, based in San Francisco, reveals that Google’s implementation was poor. Google allowed the application’s private data to be recorded in the device’s internal activity file (better known as log), where they were accessible to hundreds of apps pre-installed on mobile phones. This vulnerability could make it possible to link the identity of the owner of the mobile with its location, its social contacts and if it was positive.
“It is a vulnerability that can be solved because it is not a design error in the tracking technology,” says Narseo Vallina-Rodríguez, one of the authors of the research, a member of AppCensus and a researcher at Imdea Networks. “Implementation errors are a constant in the digital world and in all the products we have installed on our devices,” he adds. The company found the vulnerability while analyzing the system as part of a contract you have with the US Department of Homeland Security. For now, they say in your post published today, still there: logs they still record that information.
The only potentials directly affected by this gap are Android users. AppCensus has not encountered a similar problem at Apple. Although the owners of iPhones may have been affected as a result of appearing as contacts for Android users.
The complexity and opacity of the technological systems of large companies make these errors more difficult to detect. “It’s another example of why critical public interest systems should be open source,” says Vallina-Rodríguez. “The opacity of the system has not allowed detecting these vulnerabilities for almost a year.” That very opacity complicates the real scope of the problem.
The problem with pre-installed apps
Register (log) of the mobile is not accessible for the apps that a user downloads from Google Play. They do not have the necessary permissions to access that internal data. But the applications that arrive pre-installed on the device from the factory do have these accesses. In the research they explain two examples of Xiaomi and Samsung mobiles, where there are 54 and 89 applications, respectively, that can consult that information. Xiaomi and Samsung are just two cases: the vast majority of Android mobile manufacturers use apps that are incorporated at the factory and that have access to a lot of information without the user being aware, as EL PAÍS already revealed.
Researchers warned Google on February 19 of this vulnerability. After 60 days without the company having remedied, they publish their results and have communicated it to the competent authorities. “What is potentially serious about this problem is that the damage for many users may already be done,” explains Vallina-Rodríguez. “Every Android device has pre-installed applications with the necessary privileges to read the logs from the system, and upload them to their servers without knowing very well what goes in those records, including health data. It is very difficult to quantify the magnitude of the problem and it is something that should be resolved in the investigations carried out by the regulators. “
In a statement from a spokesperson, Google admits to having received the communication and minimizes the alleged risk: “We were notified of an issue whereby the identifiers of bluetooth they were temporarily accessible to other pre-installed applications for debugging purposes and we immediately started working to fix it, ”says a company spokesperson. “These identifiers do not reveal the location of a user or provide any other identifying information and we have no indication that it has been used, nor that any app was even aware of this.”
In its post, AppCensus explains how easy it is to link these identifiers, which certainly by themselves do not reveal anything, with personal data of each user. “An entity that collects the log You can also associate it with the identity of the user. Any app, including the pre-installed ones, can have permissions to get the email address or the phone number of the device ”, they write. Not only that, with the help of other databases that collect more data, the information from the contact tracing system can also lead to the location and physical contacts of each user: the random identifiers of the contact tracing system can be converted into a MAC address (which identifies a device), “and with access to existing databases, they can convert that MAC address into a geolocation, which allows reaching the historical location of a user.”
The seriousness and consequences of the breach will be something that the competent authorities will have to assess. EL PAÍS has contacted and awaits a response from the European Data Protection Supervisor and the Spanish Data Protection Agency.