Security researchers have gone public with troubling privacy issues in Google’s support for contact-tracing apps that they claim can expose users’ information.
AppCensus, a privacy analysis company, discovered the shortcomings of the Android implementation of the Google-Apple Exposure Notification (GAEN) framework as part of a US Department of Homeland Security-funded program.
The team disclosed the issues to Google in mid-February. Google, however, rejected the vulnerability report, prompting AppCensus’s decision to go public with its concerns in a blog post on Tuesday (April 27).
Losses and GAENs
AppCensus is at pains to stress that it has no issue with Covid-19 contact tracing apps per se; rather, it’s the Google implementation of what was supposed to be a privacy-preserving technology it has concerns about.
GAEN offers a decentralized system for Bluetooth-based contact tracing mobile apps.
The framework is designed to help public health authorities manage the spread of Covid-19 and save lives.
With the exposure notification system, neither Google, Apple, nor other users can see the user’s identity, as all of the logging happens on a user’s device.
The theory is that apps based on the decentralized GAEN approach jointly developed by Google and Apple ought to be more privacy friendly.
Google’s implementation of GAEN, however, logs crucial pieces of information, according to AppCensus.
While this data could potentially be read by hundreds of third-party apps, apps downloaded from the Google Play store have been blocked from accessing system logs since 2012.
However, Google allows phone hardware manufacturers, network operators, and their commercial partners (for example, advertising libraries) to pre-install “privileged” apps, according to AppCensus.
Proximity alert
This is a particular problem because the logs contain rolling proximity identifiers (RPIs), which are broadcast from other phones running the contact tracing app that come within range of a user’s device, as well as the corresponding Bluetooth Mac addresses. The log also contains details of the RPIs, which change every 15 minutes or so, broadcast by the user’s device.
The end result is that apps developed by device manufacturers including Samsung and Xiaomi with the ability to read system logs can also access sensitive data from devices running Bluetooth-based contact tracing apps.
AppCensus does not fault device manufacturers for the issue but rather the “log[ging of] sensitive data to the system log in the first place” that results from Google’s “flawed” implementation of GAEN.
Data contained in the logs can be combined with positive temporary exposure keys (TEKs) published by public health authorities to potentially infer a user’s Covid status, according to AppCensus.
Worse yet, an entity that collects logs can also associate it to the user’s identity.
‘No indication’
In response to queries from The Daily Swig, Google offered a statement acknowledging shortcomings in its implementation that exposed Bluetooth identifiers, but argued that this data failed to expose a user’s location or identifying information, contrary to AppCensus’ report.
We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations, and ultimately update the code.
These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used in any way – nor that any app was even aware of this.
Although Google’s statement implies there was never much of a privacy risk as a result of AppCensus’ findings, The Daily Swig understands a roll out of Android updates addressing the issue is already underway.
Source: https://portswigger.net/daily-swig/google-androids-implementation-of-privacy-preserving-contact-tracing-flawed