A majority of COVID-19 contact tracing mobile applications are not fully secured and exposing high risk, claims Guardsquare.
Despite the rise of worldwide Coronavirus contact-tracing mobile apps, it appears that developers have lagged in implementing adequate security and privacy options. In latest recent study from Guardsquare, the security researchers have analyzed several apps from different countries. The report titled “The Proliferation of COVID-19 Contact Tracing Apps Exposes Significant Security Risks” revealed that the Government-sponsored mobile apps are “not really” secure and exposing privacy and data of users.
Governments of many countries are focused on providing awareness and safety among citizens with these apps – to help combat the spread of the pandemic. However, in most of the cases, it is not clear if they are developed by the government unit or by a third-party – making security to forfeit.
Researchers have decompiled and studied 17 contact-tracing COVID-19 apps for Android spanning 17 countries – to understand whether developers execute name obfuscation, asset/resource, string, and class encryption. Besides, it was tested whether the apps can run on rooted devices or even emulators (virtual devices). Some principal findings from the study are –
a] About 41% of the contact-tracing apps have root detection
b] Around 41% of apps have some level of name obfuscation
c] About 29% of apps have string encryption included
d] Nearly 18% have emulator detection built in it
e] Only 6% hold asset / resource encryption
f] About 6% of apps have a class encryption option
The above security and privacy protection options are crucial for most mobile applications and not only limited to contact-tracing apps. However, they are salient for the latter, as some of them are compulsory for the citizens to use – because their efficiency hinges on the widespread adoption. For instance, “name obfuscation” feature cover identifiers within the app’s code to stop hackers from reverse engineering and exploring the source code. And, string encryption prevents malicious actors from taking out API keys and cryptographic keys, which are included in the source code. Hackers could use these sensitive data to blackmail, identity theft, and more.
The looked-for security should make it tricky for threat actors to corrupt with and attack such legitimate apps. More security promotes confidence in people. The percentages for every category have been found to differ with regions. According to Grant Goodes, Chief Scientist of Guardsquare – “When security flaws are publicized, the whole app is suddenly distrusted, and its utility wanes as users drop off. In the case of countries who build their own apps, this can erode citizen trust in the government as well, which further increases public health risks.”