With the current pandemic, privacy concerns have emerged around the large number of applications being published and promoted around the globe. From symptom tracking to contact tracing, the COVID-19 App Tracker Project (https://covid19apptracker.org) aims to automate detection of new and modified applications published on the Google Play Store. Our session will discuss C19 app trends around the globe, emerging concerns, and what is required for greater transparency around the applications created and data collected by governments around the world.

1. https://covid19apptracker.org
Data Last Updated: 01 August 2020
Who needs spyware when you
have COVID-19 apps?
1

2. Agenda
Introduction
The Project
The People
The Goals
The Problem
A walk down memory lane
Ecosystem and Trends
What can we learn from the data?
Opportunities?
2

3. Agenda
Introduction
The Project
The People
The Goals
The Problem
A walk down memory lane
Ecosystem and Trends
What can we learn from the data?
Opportunities?
3

4. Agenda
Introduction
The Project
The People
The Goals
The Problem
A walk down memory lane
Ecosystem and Trends
What can we learn from the data?
Opportunities?
4

5. Our Team
Megan DeBlois
Product Manager
Carlos Maycas Nadal
Back-end Engineer
Zach Anderson
Front-end Engineer
Justin DeBlois
UX Designer
Contact Us!
info@covid19apptracker.org
https://covid19apptracker.org/#/team 5

6. Introduction
6

7. https://covid19apptracker.org
7
Last Updated
01 Aug 2020

8. How it Works
App Detection Engine
(scan, updates, enrich)
1
App Database
2 Update Google Sheet
Deploy GitHub Pages
3
Google Play Store
8

9. Building on a Budget
No funding
Limited time
Understand the ecosystem
(contact tracing, symptom
tracking, informational)
Create open data for
deeper analysis
Personal learning goals
Constraints Goals
9

10. The Problem
10

11. ● Rapid deployment of technology…
● Bugs, Vulnerabilities, Exploitation
Problem #1
The Problem
11

12. May: https://www.washingtonpost.com/technology/2020/05/21/care19-dakota-privacy-coronavirus/
“it violates its own privacy
policy by sharing citizen
location and other
personal data with an
outside company”
12

13. 13

14. 14

15. 15

16. ● Rapid deployment of technology…
● Bugs, Vulnerabilities, Exploitation
Problem #1
● Data collection and permissions
● Lack of transparency
Problem #2
The Problem
16

17. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
17

18. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions. 18

19. 19

20. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
20

21. https://www.eff.org/deeplinks/2020/04/apple-and-goo
gles-covid-19-exposure-notification-api-questions-and
-answers 21

22. MIT contact tracing app
project data released
Research
Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
22

23. 23

24. MIT contact tracing app
project data released;
Research
Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
We still have a lot of
data collection and
privacy issues
Data Collection
24

25. The Ecosystem
25

26. How many apps are there?
On the Google Play Store
*The following slides and information are based on data tracked by the project
26

27. 121On August 1st
Contact Tracing
Symptom Tracking
Informational
3 Categories
● Contact Tracing
● Symptom Tracking
● Informational
27

28. Number of apps by country
On the Google Play Store
*The following slides and information are based on data tracked by the project
28

29. 29

30. India, United States,
United Kingdom,
Spain, United Arab
Emirates, Pakistan,
Vietnam
Top Countries
30

31. India, United States,
United Kingdom,
Spain, United Arab
Emirates, Pakistan,
Vietnam
Top Countries
31

32. India, United States,
United Kingdom,
Spain, United Arab
Emirates, Pakistan,
Vietnam
Top Countries
32

33. India, United States,
United Kingdom,
Spain, United Arab
Emirates, Pakistan,
Vietnam
Top Countries
33

34. The impact on people
On the Google Play Store
34
*The following slides and information are based on data tracked by the project

35. The ScaleMore than 100M
downloads
Aarogya Setu
India
100M+
35

36. The ScaleMore than 100M
downloads
Aarogya Setu
India
100M+
10M
CoronApp
Colombia
36

37. The ScaleMore than 100M
downloads
Aarogya Setu
India
100M+
10M
CoronApp
Colombia
Hayat Eve Sığar
Turkey
MySejahtera
Malaysia
CoronaWarn App
Germany
Cuidar COVID19
Argentina
5M+
1M+
Australia
Brazil
India
Israel
U.K.
Vietnam
France
Saudi Arabia
Singapore
Qatar
37

38. Privacy and Permissions
38
*The following slides and information are based on data tracked by the project

39. 39

40. 40

41. Who requests the most permissions?
41
*The following slides and information are based on data tracked by the project

42. Karantinas / Lithuania
Symptom Tracking and
Informational
https://covid19apptracker.org/#/app/com.lym
po.covid19
T COVID’19 / India
Symptom Assessment
and Informational
https://covid19apptracker.org/#/app/com.tsst
ate.citizen
SM_Covid19 / Italy Contact Tracing
https://covid19apptracker.org/#/app/it.softmi
ning.projects.covid19.savelifestyle
Type of App URL
23 Permissions Requested
42

43. Who requests the least permissions?
43
*The following slides and information are based on data tracked by the project

44. Pakistan's National Action
Plan for COVID-19
/ Pakistan
Informational
https://covid19apptracker.org/#/app/com.nap
_pakistan.app
Type of App URL
0 Permissions Requested
44

45. GVA Coronavirus / Spain
Primary Care
Appointment and
Informational
https://covid19apptracker.org/#/app/es.gva.co
ronavirus
Family - COVID 19 /
Vietnam
Symptom Tracking
https://covid19apptracker.org/#/app/com.fam
ily.tokhaiyte
CoronaCheck / Pakistan
Symptom Self
Assessment and
Informational
https://covid19apptracker.org/#/app/com.edu
.aku.akuhccheck
Be + against COVID19 /
Spain
Informational
https://covid19apptracker.org/#/app/com.app
andabout.defusing
Type of App URL
1 Permission Requested
45

46. More on geolocation
46
*The following slides and information are based on data tracked by the project

47. Requesting Approximate Location 79 (65%)
Requesting Precise Location 90 (74%)
Permission Number of Apps
47

48. 48
Google and Apple
Exposure Notification

49. 49
“Your app must have the BLUETOOTH and INTERNET permission in its
manifest, but your app doesn't require and can't include
ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, nor
BLUETOOTH_ADMIN.”
https://developers.google.com/android/exposure-notifications/exposure-notifications-api

50. Dangerous Permissions
50

51. 51
“permissions that could potentially affect the user's
privacy or the device's normal operation … the user must
explicitly agree to grant those permissions.”
https://developer.android.com/guide/topics/permissions/overview

52. * Android permissions categorization: https://developer.android.com/reference/android/Manifest.permission 52

53. * Android permissions categorization: https://developer.android.com/reference/android/Manifest.permission 53
65%
74%

54. * Android permissions categorization: https://developer.android.com/reference/android/Manifest.permission 54
50%
46%

55. * Android permissions categorization: https://developer.android.com/reference/android/Manifest.permission 55
36%
18%
15%
13%
6%

56. 56
App Name Country
Affiliation
App Name Country
Affiliation
COVID Coach (US Department of Veteran
Affairs)
U.S. Home Quarantine (Kwarantanna
domowa)
Poland
Sức khỏe Việt Nam Vietnam Coronavirus UY Uruguay
COVID19 - DXB Smart App UAE COVI Qatar
COVID19 - DXB Responder UAE Shuurkhai 119 Mongolia
T COVID'19 India COVID-19 Sounds U.K.
COVID-19 Vietnam Shlonik - ‫ﺷﻠوﻧك‬ Kuwait
Interactive Clinics Spain COVID19 UAE UAE
C Spire Health - UMMC Virtual COVID-19
Triage
U.S. SOS CORONA Mali
Requesting Microphone Access

57. 57
Requesting Read Contacts Access
App Name Country
Affiliation
CoronApp - Colombia Colombia
Healthy Together - COVID-19 (US) U.S.
Speetar COVID-19 (LY) Libya
COVID Coach (US, Department of Veteran
Affairs)
U.S.
COVID-19MX Mexico
Hayat Eve Sığar Turkey
Sức khỏe Việt Nam Vietnam

58. 58
Regional Permission Differences
121On August 1st

59. 59
57%
80%

60. Researchers and
Advocates
60

61. 61
https://web.karisma.org.co/coronapp-muchos-datos-pocos-beneficios/

62. 62
https://www.amnesty.org/en/latest/news/2020/06/bahrain-kuwait-norway-contact-tracing-apps-danger-for-privacy/

63. 63
https://www.eff.org/issues/covid-19
Some universities in the U.S.
are considering “app
mandates”. (EFF, July 2020)
https://www.eff.org/deeplinks/2020/07/u
niversity-app-mandates-are-wrong-call

64. 64
https://reports.exodus-privacy.eu.org/en/analysis/submit/

65. What now?
65

66. What now?
66

67. 1. Privacy and security audits
2. Better understand adoption barriers to Google and
Apple Exposure Notification technology
3. Advocate for privacy respecting applications
4. Transparency standards for COVID-19 applications
a. Promote open source technologies
b. Transparent data collection and treatment
67
Opportunities

68. The design decisions we
make now have the
potential for lasting impact
on our privacy.
68

69. Any questions?
69
*We will be taking questions on the appropriate DEFCON Crypto Village discord channel
info@covid19apptracker.org

70. Thank
You
COVID-19 App Tracker
info@covid19apptracker.org
70

71. 71