According to Check Point Research, apps need to reconcile the goal of greater accuracy with the privacy of their users.
Image: Getty Images / iStockphoto
Contact tracking apps have been used in several countries to curb the spread of COVID-19. Such apps identify users who have tested positive for the virus, ask them to share this information, find people with whom they have been in close contact, and notify them.
SEE: Corona Virus: Critical IT policies and tools that every business needs (TechRepublic Premium)
However, these types of apps face a balancing act. To be fully effective, they need to track and monitor their users' locations. However, such surveillance can compromise a person's privacy, especially if the data falls into the wrong hands or is used for malicious purposes. A blog post published on Thursday by cyber threat intelligence provider Check Point Research describes the challenges and pitfalls of tracking apps and offers tips for potential users.
Contact tracking apps recognize the proximity of one user to another. To monitor a person's location, such apps use either GPS or Bluetooth, especially Bluetooth Low Energy (BLE). With BLE, the user's mobile phone regularly sends information with a unique ID. With GPS, the exact location of the user is continuously logged.
SEE: How tech companies fight COVID-19 with AI, data, and ingenuity (TechRepublic)
Although different apps work a little differently, the contact tracking process follows the same general steps:
If there are people in the immediate vicinity who use the same contact tracking app, this information is registered in the app.
Image: Check Point Research
If any of the users test positive for COVID-19, that person is prompted to share that diagnosis through the app, or in some cases the app automatically shares the information without the user's knowledge.
Image: Check Point Research
The app then notifies other users who were in the immediate vicinity of the infected person.
Image: Check Point Research
On paper, these steps may sound feasible and doable. But it's not that easy in the real world. In order for contact tracking to work most effectively, the apps must be adopted by a large number of people. With many apps, everyone who tests positive for COVID-19 must willingly report their status, otherwise the chain will be broken and the process will be stopped. Just monitoring and sharing your condition raises questions about privacy and potential abuse.
Check Point asked several questions about such apps:
What data is collected, how and where is it stored and how is it shared? Is the data encrypted? Are authorization and verification methods used to protect against abuse? Is the identity of the user kept anonymous when data such as telephone number, name and ID are collected? Does the user voluntarily pass on the coronavirus diagnosis or is this information disclosed without the person's knowledge?
The methods used by contact tracing apps also play a role when it comes to effectiveness and data protection.
Apps that use GPS location tracking can save and save a log of the user's current locations and timestamps. This information can help track the spread of the virus within a specific region. However, GPS tracking can also interfere with the person's privacy by revealing their whereabouts and traveling for an extended period of time. Examples of apps that use GPS are MIT's SafePaths, Cyprus's CovTracer, Israel's Hamagen and India's Aarogya Setu.
Apps that use BLE are considered to be more data protection aware because they transmit a secure and changing anonymous ID that does not reveal the person's identity. However, these apps are less effective than those that use GPS because they cannot track the infection geographically. Examples include the British NHS COVID-19, the Singaporean TraceTogether and the Australian COVIDSafe.
Where the trace data is stored is another key component.
In a centralized approach, the log is uploaded to a central server where health authorities can analyze the information to track the spread of the disease. However, this process affects a user's privacy by storing data about their location and the identity of people they have come into contact with. Apps that use this approach include the British NHS COVID-19, Singaporean TraceTogether and the Australian COVIDSafe.
In a decentralized approach, the protocol remains on the mobile device with only a minimal amount of information being uploaded to the server. The app downloads the anonymous IDs of users who tested positive for the virus and compares them to the logs stored on the device. Apps with this approach include Holland's PrivateTracer and upcoming programs that take over the "Exposure Notification" platform from Google and Apple.
In particular, Check Point outlined four concerns about privacy and security of contact tracking apps:
Devices can be tracked. With apps based on BLE, mobile devices send data packets that can be used to identify contact with other devices. If this process is not properly set up, hackers may be able to track a person's device by correlating the various devices involved and their respective identification packets.Personal data can be compromised. Contact tracking apps store contact logs, encryption keys, and other confidential information on the mobile device. Such data should be encrypted and stored in the application sandbox and not in shared locations. Even with the sandbox approach, any hacker who has root privileges or physical access to the device can access the data.Intercept an application's traffic. If all communication with the app's back-end server is not properly encrypted, users can be attacked with man-in-the-middle attacks that intercept the traffic.Flooding of fake health reports possible. Contact apps must authenticate when information is sent to their servers, e.g. B. when a user publishes diagnostic and contact logs. Without proper authorization, the servers could be flooded with fake health reports, which affects the reliability of the system.
"The jury is still unsure of how secure contact tracking apps are," said Jonathan Shimonovich, mobile research manager at Check Point, in a press release. "After the initial review, we have some serious concerns. Contact tracking apps need to maintain a delicate balance between privacy and security because poor implementation of security standards can compromise users' data. It depends on what data will be collected and how saved and ultimately how it is distributed. "
For anyone who wants to use a corona virus tracing app, Check Point offers the following two tips:
Download only from official stores. Because several fake corona virus apps were detected during the pandemic, users should install COVID-19 contact tracking apps from official app stores, as they only allow authorized government agencies to publish such apps.Use mobile security solutions. Download and install a mobile security solution to scan applications, protect the device from malware, and ensure that the device has not been compromised.
Cybersecurity Insider Newsletter
Strengthen your company's IT security defenses by keeping up to date with the latest cyber security news, solutions, and best practices.
Delivery on Tuesdays and Thursdays
Sign up today