Data privacy and safety: How secure are contact tracing Covid-19 apps?

Users can be vulnerable to "man-in-the-middle" attacks and app traffic interception if all communications with the app's back-end server are not correctly encrypted.

Apac CIOOutlook | Tuesday, March 02, 2021

Stay ahead of the industry with exclusive feature stories on the top companies, expert insights and the latest news delivered straight to your inbox. Subscribe today.

Users can be vulnerable to "man-in-the-middle" attacks and app traffic interception if all communications with the app's back-end server are not correctly encrypted.

Fremont, CA: There has been a spike in the number of COVID-19 contact-tracing smartphone applications worldwide. Numerous governments and national health authorities aid these. The two major smartphone OS vendors Apple and Google, have both developed special protocols along with EU guidelines. The higher rate of adoption of such applications has raised many concerns about the safety of the data that the apps will access and the possible misuse of such systems. Security experts at Check Point have addressed the following concerns about contact tracking applications:

Devices can be Monitored: As some contact tracking apps rely on Bluetooth Low Energy (BLE), devices broadcast handshake packets that enable contact recognition with other devices. If not correctly implemented, hackers can track a person's device by correlating devices and their respective identification packets.

Personal Data can be Compromised: Apps store contact logs, encryption keys, and other confidential user details saved in devices. Sensitive data should be encrypted and kept in the sandbox, not in shared locations. Even inside the sandbox, obtaining root privileges or physical access to the device could risk data, more so if information such as GPS locations is stored.

Interception of the App's Traffic: Users can be vulnerable to "man-in-the-middle" attacks and app traffic interception if all communications with the app's back-end server are not correctly encrypted.

Contact tracing apps must perform authentication when information is sent to their servers, such as when users post their diagnoses and contact logs. Without proper authorization in place, repositories may be overloaded with false health reports, undermining the entire system's reliability.

Solution

Download COVID-19 contact tracing apps from official app stores, as they only allow authorized government agencies to publish such apps.

Download and install a mobile protection solution for scanning such apps, defending the device from threats, and checking that the device has not been hacked.