Skip to main content
SpringerLink
Log in

A Study of the Privacy of COVID-19 Contact Tracing Apps

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2020)

Abstract

The COVID-19 pandemic has spread across the globe and resulted in substantial loss of lives and livelihoods. To effectively fight this pandemic, many digital contact tracing mobile apps have been developed. Unfortunately, many of these apps lack transparency and thus escalate concerns about their security and privacy. In this paper, we seek to perform a systematic and cross-platform study of the privacy issues in official contact tracing apps worldwide. To this end, we have collected 41 released apps in total, many of which run on both iOS and Android platforms, and analyzed both their documentation and binary code. Our results show that some apps expose identifiable information that can enable fingerprinting of apps and tracking of specific users that raise security and privacy concerns. Further, some apps have inconsistent data collection behaviors across different mobile platforms even though they are designed for the same purpose.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 60+ revealing statistics about smartphone usage in 2020. https://techjury.net/blog/smartphone-usage-statistics/. Accessed 24 June 2020

  2. Aarogyasetu\(\_\)android. https://github.com/nic-delhi/AarogyaSetu_Android. Accessed 23 June 2020

  3. Apktool. https://ibotpeaches.github.io/Apktool/. Accessed 23 June 2020

  4. Bluetooth sig, inc. https://www.bluetooth.com/

  5. Bluetrace protocol. https://bluetrace.io. Accessed 23 June 2020

  6. Covid-19 map. https://coronavirus.jhu.edu/map.html. Accessed 6 Aug 2020

  7. Covid-19 tracing apps now live in Germany, France, and Italy; U.K. rethinks its plans. https://venturebeat.com/2020/06/19/covid-19-tracing-apps-now-live-in-germany-france-and-italy-u-k-rethinks-its-plans/. Accessed 24 June 2020

  8. covid19-tracker-apps. https://github.com/fs0c131y/covid19-tracker-apps. Accessed 23 June 2020

  9. erouska-android. https://github.com/covid19cz/erouska-android. Accessed 23 June 2020

  10. Exposure notification - Bluetooth specification v1.1. https://www.blog.google/documents/62/Exposure_Notification_-_Bluetooth_Specification_v1.1.pdf. Accessed 24 June 2020

  11. A flood of coronavirus apps are tracking us. now it’s time to keep track of them. https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker. Accessed 23 June 2020

  12. Ida pro - hex rays. https://www.hex-rays.com/products/ida/. Accessed 23 June 2020

  13. Instrumenting android apps with soot. https://github.com/soot-oss/soot/wiki/Instrumenting-Android-Apps-with-Soot. Accessed 23 June 2020

  14. Nhsx. https://github.com/nhsx. Accessed 23 June 2020

  15. startadvertising(\(\_\):) | ios developer documentation. https://developer.apple.com/documentation/corebluetooth/cbperipheralmanager/1393252-startadvertising. Accessed 23 June 2020

  16. Bahrain, Kuwait and Norway contact tracing apps among most dangerous for privacy, June 2020. https://www.amnesty.org/en/latest/news/2020/06/bahrain-kuwait-norway-contact-tracing-apps-danger-for-privacy/. Accessed 23 June 2020

  17. Qatari contact-tracing app ‘put 1m people’s sensitive data at risk’ (2020). https://www.theguardian.com/world/2020/may/27/qatar-contact-tracing-app-1m-people-sensitive-data-at-risk-coronavirus-covid-19. Accessed 23 June 2020

  18. Baumgärtner, L., et al.: Mind the gap: security & privacy risks of contact tracing apps. arXiv preprint arXiv:2006.05914 (2020)

  19. BBC: Coronavirus: Security flaws found in NHS contact-tracing app, May 2020. https://www.bbc.com/news/technology-52725810. Accessed 23 June 2020

  20. Celosia, G., Cunche, M.: Fingerprinting Bluetooth-low-energy devices based on the generic attribute profile. In: Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things, pp. 24–31 (2019)

    Google Scholar 

  21. Chen, D., Shin, K.G., Jiang, Y., Kim, K.-H.: Locating and tracking BLE beacons with smartphones. In: Proceedings of the 13th International Conference on Emerging Networking Experiments and Technologies, pp. 263–275 (2017)

    Google Scholar 

  22. Cho, H., Ippolito, D., Yu, Y.W.: Contact tracing mobile apps for covid-19: privacy considerations and related trade-offs. arXiv preprint arXiv:2003.11511 (2020)

  23. Das, A.K., Pathak, P.H., Chuah, C.-N., Mohapatra, P.: Uncovering privacy leakage in BLE network traffic of wearable fitness trackers. In: Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, pp. 99–104 (2016)

    Google Scholar 

  24. Eames, K.T.D., Keeling, M.J.: Contact tracing and disease control. Proc. Roy. Soc. London Ser. B Biol. Sci. 270(1533), 2565–2571 (2003)

    Google Scholar 

  25. Jeon, K.E., She, J., Soonsawad, P., Ng, P.C.: BLE beacons for internet of things applications: survey, challenges, and opportunities. IEEE Internet Things J. 5(2), 811–828 (2018)

    Google Scholar 

  26. Leith, D., Farrell, S.: Coronavirus contact tracing app privacy: what data is shared by the Singapore OpenTrace app? In: International Conference on Security and Privacy in Communication Networks (2020)

    Google Scholar 

  27. Leith, D., Farrell, S.: GAEN due diligence: verifying the Google/Apple covid exposure notification API 2020. SCSS Tech Report (2020)

    Google Scholar 

  28. Li, J., Guo, X.: Covid-19 contact-tracing apps: a survey on the global deployment and challenges. arXiv preprint arXiv:2005.03599 (2020)

  29. Lin, X.-Y., Ho, T.-W., Fang, C.-C., Yen, Z.-S., Yang, B.-J., Lai, F.: A mobile indoor positioning system based on iBeacon technology. In: 2015 37th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), pp. 4970–4973. IEEE (2015)

    Google Scholar 

  30. Nan, Y., Yang, Z., Wang, X., Zhang, Y., Zhu, D., Yang, M.: Semantics-driven, learning-based privacy discovery in mobile apps. In: NDSS, Finding Clues for Your Secrets (2018)

    Google Scholar 

  31. Reichert, L., Brack, S., Scheuermann, B.: Privacy-preserving contact tracing of covid-19 patients. IACR Cryptology ePrint Archive 2020:375 (2020)

    Google Scholar 

  32. Ryan, M.: Bluetooth: with low energy comes low security. In: Presented as Part of the 7th USENIX Workshop on Offensive Technologies (2013)

    Google Scholar 

  33. Simko, L., Calo, R., Roesner, F., Kohno, T.: Covid-19 contact tracing and privacy: studying opinion and preferences. arXiv preprint arXiv:2005.06056 (2020)

  34. Sun, R., Wang, W., Xue, M., Tyson, G., Camtepe, S., Ranasinghe, D.: Vetting security and privacy of global covid-19 contact tracing applications (2020)

    Google Scholar 

  35. Tang, Q.: Privacy-preserving contact tracing: current solutions and open questions. arXiv preprint arXiv:2004.06818 (2020)

  36. Troncoso, C., et al.: Decentralized privacy-preserving proximity tracing. https://github.com/DP3T/documents. Accessed 23 June 2020

  37. Veale, M.: Analysis of the NHSX contact tracing app ‘isle of wight’ data protection impact assessment (2020)

    Google Scholar 

  38. Weiser, M.: Program slicing. IEEE Trans. Software Eng. 4, 352–357 (1984)

    Article  Google Scholar 

  39. Wen, H., Chen, Q.A., Lin, Z.:. Plug-N-Pwned: comprehensive vulnerability analysis of OBD-II dongles as a new over-the-air attack surface in automotive IoT. In: 29th USENIX Security Symposium (USENIX Security 20), Boston, MA, August 2020. USENIX Association (2020)

    Google Scholar 

  40. Wen, H., Zhao, Q., Chen, Q.A., Lin, Z.: Automated cross-platform reverse engineering of can bus commands from mobile apps. In: Proceedings of the 27th Annual Network and Distributed System Security Symposium (NDSS 2020), San Diego, CA, February 2020

    Google Scholar 

  41. Yang, Z., Yang, M.: LeakMiner: detect information leakage on android with static taint analysis. In: 2012 Third World Congress on Software Engineering, pp. 101–104. IEEE (2012)

    Google Scholar 

  42. Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: Appintent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1043–1054 (2013)

    Google Scholar 

  43. Zhao, Q., Wen, H., Lin, Z., Xuan, D., Shroff, N.: On the accuracy of measured proximity of Bluetooth-based contact tracing apps. In: International Conference on Security and Privacy in Communication Networks (2020)

    Google Scholar 

  44. Zhao, Q., Zuo, C., Pellegrino, G., Lin, Z.: Geo-locating drivers: a study of sensitive data leakage in ride-hailing services. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019), San Diego, CA, February 2019

    Google Scholar 

  45. Zuo, C., Wen, H., Lin, Z., Zhang, Y.: Automatic fingerprinting of vulnerable BLE IoT devices with static UUIDS from mobile apps. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1469–1483 (2019)

    Google Scholar 

Download references

Acknowledgement

We would like to thank our shepherd Adwait Nadkarni, and the anonymous reviewers for their valuable feedback. We are also grateful to Juanru Li, Tielei Wang, and Zhi Zhou for their assistance on obtaining the most recent iOS COVID-19 apps. This work was supported in part by the National Science Foundation (NSF) under Grant No. CNS 1618520, CNS 1834215 and CNS 2028547. Any opinions, findings, conclusions, and recommendations in this paper are those of the authors and do not necessarily reflect the views of the funding agencies.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, The Ohio State University, Columbus, USA

    Haohuang Wen, Qingchuan Zhao, Zhiqiang Lin, Dong Xuan & Ness Shroff

Authors
  1. Haohuang Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qingchuan Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhiqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dong Xuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ness Shroff
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haohuang Wen .

Editor information

Editors and Affiliations

  1. Yonsei University, Seoul, Korea (Republic of)

    Noseong Park

  2. George Mason University, Fairfax, VA, USA

    Kun Sun

  3. Dipartimento di Informatica, Universita degli Studi, Milan, Milano, Italy

    Sara Foresti

  4. University of Florida, Gainesville, FL, USA

    Kevin Butler

  5. Division of Nephrology, University of Alabama, Birmingham, AL, USA

    Nitesh Saxena

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wen, H., Zhao, Q., Lin, Z., Xuan, D., Shroff, N. (2020). A Study of the Privacy of COVID-19 Contact Tracing Apps. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63086-7_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63085-0

  • Online ISBN: 978-3-030-63086-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation