With the current pandemic, privacy concerns have emerged around the large number of applications being published and promoted around the globe. From symptom tracking to contact tracing, the COVID-19 App Tracker Project (https://covid19apptracker.org) aims to automate detection of new and modified applications published on the Google Play Store.
Our session will discuss C19 app trends around the globe, emerging concerns, and what is required for greater transparency around the applications created and data collected by governments around the world.
8. How it Works
App Detection Engine
(scan, updates, enrich)
1
App Database
2 Update Google Sheet
Deploy GitHub Pages
3
Google Play Store
8
9. Building on a Budget
No funding
Limited time
Understand the ecosystem
(contact tracing, symptom
tracking, informational)
Create open data for
deeper analysis
Personal learning goals
Constraints Goals
9
16. ● Rapid deployment of technology…
● Bugs, Vulnerabilities, Exploitation
Problem #1
● Data collection and permissions
● Lack of transparency
Problem #2
The Problem
16
17. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
17
18. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions. 18
20. Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
20
22. MIT contact tracing app
project data released
Research
Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
22
24. MIT contact tracing app
project data released;
Research
Timeline
Emergence
More and more COVID-19
apps begin to emerge
on play stores.
Restrictions
Contact Tracing
Research
May 2020Feb-Mar 2020 Mar 2020 Apr 2020 May 2020 Jun-Aug 2020
Google and Apple crackdown on apps.
Restrict publication to governments
and official health institutions.
Google/Apple announce
collaboration “privacy respecting”
contact tracing technology
We still have a lot of
data collection and
privacy issues
Data Collection
24
36. The ScaleMore than 100M
downloads
Aarogya Setu
India
100M+
10M
CoronApp
Colombia
36
37. The ScaleMore than 100M
downloads
Aarogya Setu
India
100M+
10M
CoronApp
Colombia
Hayat Eve Sığar
Turkey
MySejahtera
Malaysia
CoronaWarn App
Germany
Cuidar COVID19
Argentina
5M+
1M+
Australia
Brazil
India
Israel
U.K.
Vietnam
France
Saudi Arabia
Singapore
Qatar
37
41. Who requests the most permissions?
41
*The following slides and information are based on data tracked by the project
42. Karantinas / Lithuania
Symptom Tracking and
Informational
https://covid19apptracker.org/#/app/com.lym
po.covid19
T COVID’19 / India
Symptom Assessment
and Informational
https://covid19apptracker.org/#/app/com.tsst
ate.citizen
SM_Covid19 / Italy Contact Tracing
https://covid19apptracker.org/#/app/it.softmi
ning.projects.covid19.savelifestyle
Type of App URL
23 Permissions Requested
42
43. Who requests the least permissions?
43
*The following slides and information are based on data tracked by the project
44. Pakistan's National Action
Plan for COVID-19
/ Pakistan
Informational
https://covid19apptracker.org/#/app/com.nap
_pakistan.app
Type of App URL
0 Permissions Requested
44
45. GVA Coronavirus / Spain
Primary Care
Appointment and
Informational
https://covid19apptracker.org/#/app/es.gva.co
ronavirus
Family - COVID 19 /
Vietnam
Symptom Tracking
https://covid19apptracker.org/#/app/com.fam
ily.tokhaiyte
CoronaCheck / Pakistan
Symptom Self
Assessment and
Informational
https://covid19apptracker.org/#/app/com.edu
.aku.akuhccheck
Be + against COVID19 /
Spain
Informational
https://covid19apptracker.org/#/app/com.app
andabout.defusing
Type of App URL
1 Permission Requested
45
49. 49
“Your app must have the BLUETOOTH and INTERNET permission in its
manifest, but your app doesn't require and can't include
ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, nor
BLUETOOTH_ADMIN.”
https://developers.google.com/android/exposure-notifications/exposure-notifications-api
51. 51
“permissions that could potentially affect the user's
privacy or the device's normal operation … the user must
explicitly agree to grant those permissions.”
https://developer.android.com/guide/topics/permissions/overview
56. 56
App Name Country
Affiliation
App Name Country
Affiliation
COVID Coach (US Department of Veteran
Affairs)
U.S. Home Quarantine (Kwarantanna
domowa)
Poland
Sức khỏe Việt Nam Vietnam Coronavirus UY Uruguay
COVID19 - DXB Smart App UAE COVI Qatar
COVID19 - DXB Responder UAE Shuurkhai 119 Mongolia
T COVID'19 India COVID-19 Sounds U.K.
COVID-19 Vietnam Shlonik - ﺷﻠوﻧك Kuwait
Interactive Clinics Spain COVID19 UAE UAE
C Spire Health - UMMC Virtual COVID-19
Triage
U.S. SOS CORONA Mali
Requesting Microphone Access
57. 57
Requesting Read Contacts Access
App Name Country
Affiliation
CoronApp - Colombia Colombia
Healthy Together - COVID-19 (US) U.S.
Speetar COVID-19 (LY) Libya
COVID Coach (US, Department of Veteran
Affairs)
U.S.
COVID-19MX Mexico
Hayat Eve Sığar Turkey
Sức khỏe Việt Nam Vietnam
67. 1. Privacy and security audits
2. Better understand adoption barriers to Google and
Apple Exposure Notification technology
3. Advocate for privacy respecting applications
4. Transparency standards for COVID-19 applications
a. Promote open source technologies
b. Transparent data collection and treatment
67
Opportunities
68. The design decisions we
make now have the
potential for lasting impact
on our privacy.
68
69. Any questions?
69
*We will be taking questions on the appropriate DEFCON Crypto Village discord channel
info@covid19apptracker.org