Katana VentraIP

COVIDSafe

COVIDSafe[14][15] was a digital contact tracing app released by the Australian Government on 26 April 2020[16][17] to help combat the ongoing COVID-19 pandemic.[18] The app was intended to augment traditional contact tracing by automatically tracking encounters between users and later allowing a state or territory health authority to warn a user they have come within 1.5 metres (4 ft 11 in) with an infected person for 15 minutes or more.[19] To achieve this, it used the BlueTrace and Herald protocol, originally developed by the Singaporean Government and VMWare respectively,[20][21] to passively collect an anonymised registry of near contacts.[22] The efficacy of the app was questioned over its lifetime, ultimately identifying just 2 confirmed cases by the time it was decommissioned on 16 August 2022.[23]

Not to be confused with Coronavirus Australia.

Developer(s)

26 April 2020 (2020-04-26)

2.9 / 10 December 2021 (2021-12-10)

Android, iOS

Amazon Web Services[6]

  • 5.9 MB (Android)
  • 5.7 MB (iOS)

English

Digital contact tracing

Proprietary, source code released[12][13]

www.covidsafe.gov.au

Issues[edit]

Issues on iOS[edit]

Versions 1.0 and 1.1 of COVIDSafe for iOS did not scan for other devices when the application was placed in the background, resulting in far fewer recorded contacts than was possible. This was later corrected in version 1.2.[127] Additionally, until the 18 June 2020 update, a bug existed where locked iOS devices were unable to fetch new temporary IDs.[128] Devices collected 24–48 hour pools of temporary IDs in advance, meaning a device could easily exhaust it's pool unless the phone was unlocked specifically when the app was scheduled to replenish the pool.


Additionally, all third-party digital contact tracing protocols experience degraded performance on iOS devices,[129][101] particularly when the device is locked or the app is not in the foreground.[130][131] This is a characteristic of the operating system, stemming from how iOS manages its battery life and resource priority.[132]: 01:19:30  The Android app does not experience these issues because Android is more permissive with background services and the app can request the operating system to disable battery optimisation.[133][132]: 01:22:00 

Country calling code restrictions[edit]

COVIDSafe requires an Australia mobile number to register, meaning foreigners in Australia need a local SIM card.[134] Initially, residents of Norfolk Island, an external territory of Australia, were unable to register with the app as they used a different country code to mainland Australia, +672 instead of +61.[135][136][137] The Australian government released an update resolving the issue on 18 June 2020.[128][138]

Release the Privacy Impact Assessment and the app source code

Major changes should be reviewed for privacy impact

A legislative framework put in place to protect the user

Certain screens be rearranged to better communicate information

Make clear what a user should do if they are pressured to reveal their contact logs, or are pressured into installing the app

Generalised collection of age

Gather consent from users both at registration, and at submission of contact logs

Create a specific privacy policy for the app

Make it easier to rectify personal information

Raise public awareness about the app and how it works

Development of training and scripts for health officials

Put in place contracts with state and territory health authorities

Allow users to register under a pseudonym

Seek independent review over security of the app

Review the contract with AWS

Ensure ICT contracts are properly documented

Investigate ways to reduce the number of digital handshakes

A special consent process for underage users

Independent analysis[edit]

On 29 May 2020, a group of independent security researchers including Troy Hunt, Kate Carruthers, Matthew Robbins, and Geoffrey Huntley released an informal report raising a number of issues discovered in the decompiled app.[167][132][168] Their primary concerns were two flaws in the implementation of the protocol that could potentially allow malicious third parties to ascertain static identifiers for individual clients.[169] Importantly, all issues raised in the report were related to incidental leaking of static identifiers during the encounter handshake.[167] To date, no code has been found that intentionally tracks the user beyond the scope of contact tracing, nor code that transmits a user's encounter history to third parties without the explicit consent of the user.[132][170][171] Additionally, despite the flaws discovered through their analysis, many prominent security researchers publicly endorse the app.[172][173][174][175]


The first issue was located in BLEAdvertiser.kt, the class responsible for advertising to other BlueTrace clients. The bug occurred with a supposedly random, regularly changing three-byte string included in that was, in fact, static for the entire lifetime of an app instance.[176][167]: Issue #2 [177]: line 85–86  This string was included with all handshakes performed by the client. In OpenTrace this issue did not occur, as value changes every 180 seconds.[178] While likely not enough entropy to identify individual clients, especially in a densely populated area, when used in combination with other static identifiers (such as the phone's model) it could have been used by malicious actors to determine the identity of users.[167][168] This issue was addressed in the 13 May 2020 update.[179]


The second issue was located in GattServer.kt, the class responsible for managing BLE peripheral mode, where the cached read payload is incorrectly cleared. Although it functioned normally when a handshake succeeded, a remote client who broke the handshake would have received the same TempID for all future handshakes until one succeeded, regardless of time.[167]: Issue #1  This meant a malicious actor could always intentionally break the handshake and, for the lifetime of the app instance, the same TempID would always be returned to them. This issue was resolved in OpenTrace,[180] yet was unfixed in COVIDSafe[169][181] until the 2020-05-13 update.[179]


Other issues more inherent to the protocol include the transmission of device model as part of the encounter payload, and issues where static device identifiers could be returned when running in GATT mode.[167] Many of these are unfixable without redesigning the protocol, however they, like the other issues, pose no major privacy or security concerns to users.[168]

Legislation[edit]

The Biosecurity Determination 2020, made with the authority of the Biosecurity Act 2015,[182][183] governs how data collected by the COVIDSafe app is stored, submitted, and processed. Later a separate bill was introduced to codify this determination, the Privacy Amendment (Public Health Contact Information) Bill 2020.[41][42] The determination and bill makes it illegal for anyone to access COVIDSafe app data without both the consent of the device owner[39]: §7.1  and being an employee or contractor of a state or territory health authority.[39]: §6.2  Collected data may be used only for the purpose of contact tracing or anonymous statistical analysis,[39]: §6.2.a.ii & §6.2.e [184] and data also cannot be stored on servers residing outside Australia, nor can it be disclosed to persons outside Australia.[39]: §7.3 [185] Additionally, all data must be destroyed once the pandemic has concluded, overriding any other legislation requiring data to be retained for a certain period of time.[39]: §7.5  The bill also ensures no entity may compel someone to install the app.[39]: §9 [186] Despite this there have been reports of multiple businesses attempting to require employees to use the app.[187][188]

COVID-19 apps

Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015

Mass surveillance in Australia § Telecommunications and Other Legislation Amendment (Assistance and Access) Act

GitHub

(YouTube)

Senate Select Committee on COVID-19 Public Hearing on COVIDSafe, 2020-05-06

COVIDSafe App Teardown & Panel Discussion