Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps

Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps

Analysis Finds 60% of Apps Use Secure Official API, Remaining 40% Still Lack Basic Protections

Guardsquare, the mobile application security platform, today announced the release of the company’s second “Global Contact Tracing App Analysis,” which reassesses the levels of security protections and privacy risks of COVID-19 contact tracing apps. The report found that of the 95 mobile apps analyzed, 60% use the official application programming interface (API) for secure exposure notifications. For the remaining 40% of the contact tracing apps, the majority of which gather GPS location data, security is paramount ‒ yet lags.

Read More: Ken Ewell Joins SurveyMonkey As Chief Customer Officer

“Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected”

“It is always important to follow security best practices during the development of any application which handles sensitive user data, and that is even more true when that app is a vital tool in the worldwide fight against the pandemic. Contact tracing apps gathering user location data and personally identifiable information are especially attractive targets for exploitation, further reinforcing the need for developers to implement essential security protections,” said Grant Goodes, Chief Scientist at Guardsquare.

Contact tracing apps have been commissioned and distributed by governments around the world to track and notify individuals of exposure to COVID-19 so they can take appropriate action in order to prevent the spread of the virus. Guardsquare first analyzed government-sponsored COVID-19 contact tracing Android mobile apps in June 2020, uncovering that the vast majority lacked even basic security protections. For this report, Guardsquare reanalyzed the original Android apps (with the exception of those no longer in use), added new apps that have since emerged, and included iOS mobile apps to derive insights into the two market-leading mobile operating systems.

Read More: Pure Storage Named A Leader In Gartner Magic Quadrant For Primary Storage Arrays

In the updated analysis, Guardsquare found use of the Exposure Notification API developed by Apple and Google to be much more prevalent than in the June report. Notably, of the apps Guardsquare analyzed, 62% of the Android apps and 58% of the iOS apps are using the API. However, contact tracing apps not using the Exposure Notification API have applied either a minimal level of fundamental security protection techniques or no security protection techniques.

The research reveals that although progress has been made, security and privacy issues among contact tracing apps persist. In particular, the analysis found that apps using GPS, Bluetooth, or a combination of the two, to collect sensitive data are operating in a manner endangering the security and privacy of users.

Key Findings of COVID-19 Contact Tracing Apps (Exposure Notification API Not Used):

  • 33% of iOS and 20% of Android apps had no protection
  • 61% of iOS and 75% of Android apps had one or two security protections
  • 6% of iOS and 5% of Android apps had three or four security protections
  • 0% of iOS and Android apps had five or more security protections

According to Guardsquare’s assessment, the apps based on the Exposure Notification API have minimal security concerns. Alternate routes to detecting exposure via proximity to infected individuals‒employing GPS, building custom Bluetooth proximity detection, or both‒raise significant security and privacy concerns. Unprotected mobile applications that gather GPS data and require sensitive identity credentials risk exploitation and potentially flagrant violations of user data privacy.

“Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected,” Goodes said. “To successfully combat the spread of COVID-19, contact tracing app security should be at the forefront for developers, public health authorities, and governments.”

Read More: Amperity Achieves AWS Travel And Hospitality Competency Status

Write in to psen@itechseries.com to learn more about our exclusive editorial packages and programs.