COVIDSafe
COVIDSafe[14][15] was a digital contact tracing app released by the Australian Government on 26 April 2020[16][17] to help combat the ongoing COVID-19 pandemic.[18] The app was intended to augment traditional contact tracing by automatically tracking encounters between users and later allowing a state or territory health authority to warn a user they have come within 1.5 metres (4 ft 11 in) with an infected person for 15 minutes or more.[19] To achieve this, it used the BlueTrace and Herald protocol, originally developed by the Singaporean Government and VMWare respectively,[20][21] to passively collect an anonymised registry of near contacts.[22] The efficacy of the app was questioned over its lifetime, ultimately identifying just 2 confirmed cases by the time it was decommissioned on 16 August 2022.[23]
Not to be confused with Coronavirus Australia.Developer(s)
- Department of Health
- Department of Home Affairs
- Digital Transformation Agency
- Amazon Web Services
- Shine Solutions
- GoSource
- Atlassian
- Ionize Pty Ltd
- BCG Digital Ventures
- Delv Pty Ltd[1][2]: 2:54:00 [3]
26 April 2020
- 5.9 MB (Android)
- 5.7 MB (iOS)
English
Issues[edit]
Issues on iOS[edit]
Versions 1.0 and 1.1 of COVIDSafe for iOS did not scan for other devices when the application was placed in the background, resulting in far fewer recorded contacts than was possible. This was later corrected in version 1.2.[127] Additionally, until the 18 June 2020 update, a bug existed where locked iOS devices were unable to fetch new temporary IDs.[128] Devices collected 24–48 hour pools of temporary IDs in advance, meaning a device could easily exhaust it's pool unless the phone was unlocked specifically when the app was scheduled to replenish the pool.
Additionally, all third-party digital contact tracing protocols experience degraded performance on iOS devices,[129][101] particularly when the device is locked or the app is not in the foreground.[130][131] This is a characteristic of the operating system, stemming from how iOS manages its battery life and resource priority.[132]: 01:19:30 The Android app does not experience these issues because Android is more permissive with background services and the app can request the operating system to disable battery optimisation.[133][132]: 01:22:00
Country calling code restrictions[edit]
COVIDSafe requires an Australia mobile number to register, meaning foreigners in Australia need a local SIM card.[134] Initially, residents of Norfolk Island, an external territory of Australia, were unable to register with the app as they used a different country code to mainland Australia, +672 instead of +61.[135][136][137] The Australian government released an update resolving the issue on 18 June 2020.[128][138]
Independent analysis[edit]
On 29 May 2020, a group of independent security researchers including Troy Hunt, Kate Carruthers, Matthew Robbins, and Geoffrey Huntley released an informal report raising a number of issues discovered in the decompiled app.[167][132][168] Their primary concerns were two flaws in the implementation of the protocol that could potentially allow malicious third parties to ascertain static identifiers for individual clients.[169] Importantly, all issues raised in the report were related to incidental leaking of static identifiers during the encounter handshake.[167] To date, no code has been found that intentionally tracks the user beyond the scope of contact tracing, nor code that transmits a user's encounter history to third parties without the explicit consent of the user.[132][170][171] Additionally, despite the flaws discovered through their analysis, many prominent security researchers publicly endorse the app.[172][173][174][175]
The first issue was located in BLEAdvertiser.kt
, the class responsible for advertising to other BlueTrace clients. The bug occurred with a supposedly random, regularly changing three-byte string included in that was, in fact, static for the entire lifetime of an app instance.[176][167]: Issue #2 [177]: line 85–86 This string was included with all handshakes performed by the client. In OpenTrace this issue did not occur, as value changes every 180 seconds.[178] While likely not enough entropy to identify individual clients, especially in a densely populated area, when used in combination with other static identifiers (such as the phone's model) it could have been used by malicious actors to determine the identity of users.[167][168] This issue was addressed in the 13 May 2020 update.[179]
The second issue was located in GattServer.kt
, the class responsible for managing BLE peripheral mode, where the cached read payload is incorrectly cleared. Although it functioned normally when a handshake succeeded, a remote client who broke the handshake would have received the same TempID for all future handshakes until one succeeded, regardless of time.[167]: Issue #1 This meant a malicious actor could always intentionally break the handshake and, for the lifetime of the app instance, the same TempID would always be returned to them. This issue was resolved in OpenTrace,[180] yet was unfixed in COVIDSafe[169][181] until the 2020-05-13 update.[179]
Other issues more inherent to the protocol include the transmission of device model as part of the encounter payload, and issues where static device identifiers could be returned when running in GATT mode.[167] Many of these are unfixable without redesigning the protocol, however they, like the other issues, pose no major privacy or security concerns to users.[168]
Legislation[edit]
The Biosecurity Determination 2020, made with the authority of the Biosecurity Act 2015,[182][183] governs how data collected by the COVIDSafe app is stored, submitted, and processed. Later a separate bill was introduced to codify this determination, the Privacy Amendment (Public Health Contact Information) Bill 2020.[41][42] The determination and bill makes it illegal for anyone to access COVIDSafe app data without both the consent of the device owner[39]: §7.1 and being an employee or contractor of a state or territory health authority.[39]: §6.2 Collected data may be used only for the purpose of contact tracing or anonymous statistical analysis,[39]: §6.2.a.ii & §6.2.e [184] and data also cannot be stored on servers residing outside Australia, nor can it be disclosed to persons outside Australia.[39]: §7.3 [185] Additionally, all data must be destroyed once the pandemic has concluded, overriding any other legislation requiring data to be retained for a certain period of time.[39]: §7.5 The bill also ensures no entity may compel someone to install the app.[39]: §9 [186] Despite this there have been reports of multiple businesses attempting to require employees to use the app.[187][188]