At the start of the pandemic, Apple and Google scrambled to enable covid-19 contact tracing on their respective smartphone operating systems. The feature, which works across iOS and Android, was designed to help folks quickly determine if they’d been exposed to the virus by simply enabling a contact-tracing setting. Both companies had promised that pertinent data collected from the features, like where you’d been and who you’d passed by, would remain relatively anonymous and that only public health agencies would have access to that information.
Unfortunately, the opposite was true for the Android version of covid-19 tracing tool. The Markup published a report of a significant privacy flaw that allows hundreds of preinstalled apps offered by major Android manufacturers to access sensitive data. Apps like the Samsung Browser and Motorola’s MotoCare have grandfathered access to system logs for analytics and crash reports, which is where the data is stored.
The contact-tracing tools work by exchanging anonymized Bluetooth signals with other phones that have the ability enabled. (On Android, you can flip it on with a switch in the device settings menu.) Those signals change every 15 minutes so that individual users aren’t identifiable, created from a key that’s refreshed every 24 hours. The signals generated and received by an Android phone’s contact tracing are then saved into the device system logs. It’s there that Samsung, Motorola, Huawei, and other major Android players have automatic access to that data.
AppCensus, a mobile security firm, discovered the breach when testing the Android and iPhone contact tracing system as part of a contract with the U.S. Department of Homeland Security. The firm had found that the logs showed sensitive data, like whether a person was in contact with someone who had tested positive for covid-19. The data also contained information like the device name, MAC address, and advertising ID, which is what Google Play services use to personalize ads.
AppCensus claims that Google repeatedly dismissed the firm’s concerns when it brought up the issue in a February submission to Google’s bug bounty program. “This fix is a one-line thing where you remove a line that logs sensitive information to the system log,” Joel Reardon, co-founder and forensics lead of AppCensus, told The Markup. “It doesn’t impact the program, it doesn’t change how it works.”
On its part, Google maintains that no one has accessed those logs.
“With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device,” said a Google spokesperson. “These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used in any way - nor that any app was even aware of this.”
Google added that it’s aware of the issue “where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes.” It started rolling out an update to Android devices beginning several weeks ago and “will be complete in the coming days.” However, there’s not much information on how you can check to see if you have the update on your Android device. The report also states the flaw was not found in the iOS version of the contact-tracing framework.
During the rollout, Google had publicly promised that the necessary contact tracing data would be stored locally on the device rather than sent out to the cloud for processing. The only time the data was expected to leave the phone was when notifying the public health department that you’ve tested positive, providing you consented to share your test results. In California, for example, you use the CA Notify app to upload your test results, then the state texts you for further verification.
Despite Google’s assurances that third parties accessed no sensitive data, these sorts of discoveries tarnish the Android experience. Folks were already skeptical of the feature, considering how rushed the framework seemed at the time. Even I ignored my initial doubts, reasoning that I was a contributing and caring member of society by enabling it on my phone.
The more significant issue here is the one that’s plagued Android since its beginnings. With so many cooks in the kitchen, it’s hard to account for all those chefs. Android’s open-source nature is what helps the platform continue to flourish, but there’s also a case to be made for closing it up a bit—at least when public health is at stake.