The slides for the presentation in ICSE'21 technical track.
The rapid spread of COVID-19 has made traditional manual contact tracing to identify persons in close physical proximity to a known infected person challenging. Hence, various public health authorities have experimented with automating contact tracing with mobile apps. However, these apps have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool, COVIDGuard, which combines identification and analysis of Personal Identification Information (PII), static program analysis, and data flow analysis, to determine security weaknesses and potential private information leakage in contact tracing apps. Further, in light of our findings, we undertake a user study to investigate user concerns regarding contact tracing apps. We hope, COVIDGuard and the issues raised through responsible disclosure to vendors, the concrete guidelines provided, as well as the identified gaps between user requirements and app performance we found, can contribute to the development and deployment of mobile apps against COVID-19 and help us build secure and effective digital contact tracing solutions.
Module for Grade 9 for Asynchronous/Distance learning
An empirical assessment of global covid 19 contact tracing applications icse2021
1. An Empirical Assessment of Global COVID-19
Contact Tracing Applications
ICSE’21
https://arxiv.org/abs/2006.10933
Ruoxi Sun*, Wei Wang*, Minhui Xue*,
Gareth Tyson+, Seyit Camtepe$, Damith C. Ranasinghe*
* The University of Adelaide
+ Queen Mary University of London
$ CSIRO-Data61
2. Motivation
• The rapid spread of COVID-19 has made
traditional manual contact tracing challenging.
• A number of public health authorities have
experimented with automated contact tracing
apps.
• These apps have raised security and privacy
concerns.
3. Main Contributions
We develop COVIDGuardian, the first automated security
and privacy assessment tool that tests contact tracing apps.
We assess the security and privacy status of 40 worldwide
Android contact tracing apps.
We identify 4 major privacy and security threats against
contact tracing apps.
We also conduct a user study involving 373 participants, to
investigate user concerns and requirements.
We have disclosed our security and privacy assessment
reports to the related stakeholders.
5. Centralized Decentralized
• Collects the contact records from
diagnosed users
• Evaluates health status by server
• Collects the token of diagnosed users
• Evaluates health status by users
Contact Tracing Applications
Google and Apple
NHS COVID-19, UK
Corona Warn App, Germany
TraceTogether, Singapore
COVIDSafe, Australia
StopCovid, France
7. Security Assessment - Methodology
An overview of our security and privacy assessment methodology
COVIDGuardian
8. Security Assessment - Results
• Use at least one deprecated cryptographic algorithm (73%)
• Allow “Clear Text Storage” (55%)
• Allow Backup (43%)
• Contain trackers (75%)
• The top sources of sensitive data: Location and
database.Cursor
• Most of the sensitive data will be transferred to sinks, such as
Bundle, Service, and OutputStream
• Some apps transmit location information through SMS
messages
• We discovered one application, Stop COVID-19 KG (Kyrgyzstan),
containing malware.
9. Security Assessment – Regression Testing
• One month after disclosing our findings with the
developers, we re-checked the new versions of contact
tracing apps.
• Fixed security issues - TraceTogether, BluZone, STOP
COVID19 Cat
• Removed trackers - Mysejahtera
• No longer available in Play Store - Contact Tracer
• New vulnerabilities are identified in some apps
• The urgency of app developments may impact quality
assurance procedures
10. Privacy Risk Evaluation – Potential Attacks
Linkage attack by the server Linkage attack by users
False-positive claims Relay attack
11. Privacy Risk Evaluation - User Privacy Exposure
- Secure, No data is shared with a server or users;
- Medium-risk, Non-PII tokens are shared with proximity users;
- Medium-risk, Non-PII tokens are shared with the server;
- High-risk, PII is shared with a server;
- Highest-risk, PII is released to public.
- The system is well protected
- The system is at-risk
- Inadequate information to conduct an assessment
- Centralized system
- Decentralized system
12. User Study - Design
• 373 volunteers in Australia
• Age - 18-29 years old
• Nationality - 58% Oceania, 20% Asia
• Gender - 59% female, 39% male
• Education - 30% high school, 67% university graduates
Participants Survey Protocol
• Questionnaire with 5-point Likert scale questions
• Pencil-and-paper and online
• Likelihood of using contact tracing apps
• Functionality scenarios
• Accuracy of proximity contact detection
• Accuracy of at-risk alarm
• Privacy scenarios
• PII leakage
• Provide data to authorities if diagnosed
• Concerns about use of contact tracing apps
• Usability
• Effectiveness
• Concerns about privacy
Privacy Scenarios
• Type A - Centralized, PII collected
• Type B - Centralized, non-PII collected
• Type C - Decentralized, PII collected
• Type D - Decentralized, non-PII collected
13. User Study - Results
- Extremely likely
- Extremely unlikely
- Extremely likely
- Extremely unlikely
- Extremely unconcerned
- Extremely concerned
• Privacy design and tracing accuracy impact the
likelihood of app use.
• Users are more likely to accept and use apps
with better privacy by design.
• If PII data is collected, users prefer a
centralized solution
14. Future Works
• Examine Bluetooth Low Energy and network
traffic originating from contact tracing
• Examine any vulnerabilities associated with iOS
counterparts.
Hello everyone, I’m Ruoxi Sun from University of Adelaide, Australia.
Today I’d like
to present our research “Vetting s….”
The motivation of our research is that While the global deployment of contact tracing apps aims to protect the health of citizens, these apps have raised security and privacy concerns
The motivation of our research is that While the global deployment of contact tracing apps aims to protect the health of citizens, these apps have raised security and privacy concerns
We assess the security performance of 34 worldwide Android contact tracing applications.
We conducted code analysis using MobSF, dataflow analysis with FlowDroid and malware dectection using virustotal to evaluation
Mainifest weakness, vulnerabilities, privacy leaks and malware
At first, we look at into 10 solutions from 7 countries worldwide. In centralized solutions, there is a central server which Collects the contact records from diagnosed users
And use this information evaluate users’ health status, and send out alarms to at-risk users. While in decentralized solution, users will download the diagnosed tokens from the back end server and match with local records to know if they are at-risk.
We assess the security performance of 34 worldwide Android contact tracing applications.
We conducted code analysis using MobSF, dataflow analysis with FlowDroid and malware dectection using virustotal to evaluation
Mainifest weakness, vulnerabilities, privacy leaks and malware
We assess the security performance of 34 worldwide Android contact tracing applications.
We conducted code analysis using MobSF, dataflow analysis with FlowDroid and malware dectection using virustotal to evaluation
Mainifest weakness, vulnerabilities, privacy leaks and malware
The result shows that Over 90% of apps use at least one insecure cryptographic algorithms. Another frequent weakness is “Clear Text Storage”
We found that about three quarters of apps contain at least one tracker which may leak user’s privacy. The data flow analysis shows that sensitive information may leak from sources to sinks, such as leak location information to output stream. Some apps even transmit location information through messages, which is extremely dangerous as other apps could also access the message sending box.
We have disclosed our findings to related stakeholders received acknowledgements from numerous vendors
Here is the results of regression testing, some apps do improve their security performance in updated versions.
We evaluate user privacy exposure with 5 levels. In level 1, 2, & 3, there is on personal identifiable information shared with servers or users, which mean the user’s privacy is protected;
However, in some solutions, such as COVIDSafe, Health Code, Hamagen, TraceTogether, and the Disease-19 website, user’s PII will be shared to server or even published to public.
We evaluate user privacy exposure with 5 levels. In level 1, 2, & 3, there is on personal identifiable information shared with servers or users, which mean the user’s privacy is protected;
However, in some solutions, such as COVIDSafe, Health Code, Hamagen, TraceTogether, and the Disease-19 website, user’s PII will be shared to server or even published to public.
We evaluate user privacy exposure with 5 levels. In level 1, 2, & 3, there is on personal identifiable information shared with servers or users, which mean the user’s privacy is protected;
However, in some solutions, such as COVIDSafe, Health Code, Hamagen, TraceTogether, and the Disease-19 website, user’s PII will be shared to server or even published to public.
We evaluate user privacy exposure with 5 levels. In level 1, 2, & 3, there is on personal identifiable information shared with servers or users, which mean the user’s privacy is protected;
However, in some solutions, such as COVIDSafe, Health Code, Hamagen, TraceTogether, and the Disease-19 website, user’s PII will be shared to server or even published to public.
In future, we plan to examine BLE and network traffic and any vulnerabilities associated with iOS counterparts.