Covid-19 Contact Tracing on Android Is Not So Private After All

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Illustration for article titled It Turns Out Covid-19 Contact Tracing on Android Is Not So Private After All

Photo: Florence Ion/Gizmodo

At the start of the pandemic, Apple and Google scrambled to enable covid-19 contact tracing on their respective smartphone operating systems. The feature, which works across iOS and Android, was designed to help folks quickly determine if they’d been exposed to the virus by simply enabling a contact-tracing setting. Both companies had promised that pertinent data collected from the features, like where you’d been and who you’d passed by, would remain relatively anonymous and that only public health agencies would have access to that information.

Unfortunately, the opposite was true for the Android version of covid-19 tracing tool. The Markup published a report of a significant privacy flaw that allows hundreds of preinstalled apps offered by major Android manufacturers to access sensitive data. Apps like the Samsung Browser and Motorola’s MotoCare have grandfathered access to system logs for analytics and crash reports, which is where the data is stored.

The contact-tracing tools work by exchanging anonymized Bluetooth signals with other phones that have the ability enabled. (On Android, you can flip it on with a switch in the device settings menu.) Those signals change every 15 minutes so that individual users aren’t identifiable, created from a key that’s refreshed every 24 hours. The signals generated and received by an Android phone’s contact tracing are then saved into the device system logs. It’s there that Samsung, Motorola, Huawei, and other major Android players have automatic access to that data.

AppCensus, a mobile security firm, discovered the breach when testing the Android and iPhone contact tracing system as part of a contract with the U.S. Department of Homeland Security. The firm had found that the logs showed sensitive data, like whether a person was in contact with someone who had tested positive for covid-19. The data also contained information like the device name, MAC address, and advertising ID, which is what Google Play services use to personalize ads.

AppCensus claims that Google repeatedly dismissed the firm’s concerns when it brought up the issue in a February submission to Google’s bug bounty program….