Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.

Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.

The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app.

“This means that a person who chooses to download the app, but prefers to turn it off at certain times of the day, is informing the Data Store of this choice,” they write.

The authors also suggest that persisting with a UniqueID for two hours “greatly increases the opportunities for third-party tracking.”

“The difference between 15 minutes' and two hours' worth of tracking opportunities is substantial. Suppose for example that the person has a home tracking device such as a Google home mini or Amazon Alexa, or even a cheap Bluetooth-enabled IoT device, which records the person's UniqueID at home before they leave. Then consider that if the person goes to a shopping mall or other public space, every device that cooperates with their home device can share the information about where they went.”

The analysis also notes that “It is not true that all the data shared and stored by COVIDSafe is encrypted. It shares the phone's exact model in plaintext with other users, who store it alongside the corresponding Unique ID.”

That’s worrisome as:

The authors also worry that the app shares all UniqueIDs when users choose to report a positive COVID-19 test.

“COVIDSafe does not give them the option of deleting or omitting some IDs before upload,” they write. “This means that users consent to an all-or-nothing communication to the authorities about their contacts. We do not see why this was necessary. If they wish to help defeat COVID-19 by notifying strangers in a train or supermarket that they may be at risk, then they also need to share with government a detailed picture of their day's close contacts with family and friends, unless they have remembered to stop the app at those times.”

The analysis also calls out some instances of UniqueIDs persisting for up to eight hours, for unknown reasons.

The authors conclude the app is not an immediate danger to users. But they do say it presents “serious privacy problems if we consider the central authority to be an adversary.”

None of which seems to be bothering Australians, who have downloaded it more than two million times in 48 hours and blown away adoption expectations.

Atlassian co-founder Mike Cannon-Brookes may well have helped things along, by suggestingit’s time to “turn the … angry mob mode off. He also offered the following advice:

®