The promise of contact-tracing apps is that — anonymously and with high privacy and security — they’ll track everyone we’ve been in contact with and alert us if we’ve been close to someone who’s tested positive for COVID-19. But as these apps begin to emerge, some weaknesses are becoming apparent.
Already, North Dakota’s contact tracing app was reported to have been sharing data with Foursquare and Google. And a flaw in Qatar’s contact tracing app may have exposed hundreds of thousands of people’s data.
But perhaps the biggest weakness of all is incompatibility between apps from various states and countries. Back in April, Google and Apple announced they’re building an API framework for contact tracing apps, and most U.S. states have agreed to adopt that API. But even using a uniform API, each state may tailor its app somewhat differently. Utah, for example, has launched its Healthy Together app, but it opted to use location-based data rather than Bluetooth. And internationally there’s bound to be even more fragmentation. France has just launched its app, which does not follow the Google/Apple framework. Switzerland is piloting the first contact tracing app developed on the backbone of Google and Apple’s API, but apparently only 22 other countries have requested access to the API.
Patchworks of programming
Much like how our election process has led to some technical inconsistencies across local municipalities, having local governments build separate contact tracing apps could lead to a patchwork of results. Apple and Google hope to avoid this, by enforcing restrictions on mobile apps that implement their contact tracing APIs. However, adoption of Apple and Google’s API may not be widespread.
The United Kingdom and Norway have already publicly reported they would not use the API. And in recent weeks, many groups have criticized Apple and Google for imposing digital standards during a health crisis. Several European nations, along with public health groups have called on technology companies to offer more flexibility and openness of data. Medical groups led by Johns Hopkins University have also said technology companies shouldn’t control the terms, conditions, or capabilities of digital contact tracing.
It will be some time before we’re able to tell whether countries making privacy trade offs will have better health outcomes. It also remains to be seen how Apple and Google plan to enforce consumer privacy protections across a myriad of government-developed mobile apps, and if they will need to make adjustments along the way.
At this early stage, an app developer may believe they are adhering to the standards, but if they are not rigidly policed by Apple and Google, perhaps the developer will include a third-party SDK that, unbeknownst to them, begins siphoning sensitive data away.
For instance, under the current plan, California could add in a certain tracking feature, and New York could create a completely different third-party software development kit that would cause the app to work differently, resulting in interoperability issues across state borders.
Even if the various states prioritized interoperability so that members of the public can move between states with disparate apps without running into issues, the many combinations would need to be regularly tested if they are to be relied on.
And the incompatibility problem increases when you start traveling internationally. Apps created by the U.K., Norway, France, and others that opt out of using the Google/Apple API would almost certainly not work and exchange data with apps from countries using the Google/Apple framework.
In many parts of the world, especially the EU, countries may be incentivized to work across borders. For instance, there is a bridge connecting Denmark to Sweden that, pre-COVID-19, was open and had many commuters. Similarly, Bratislava in Slovakia is right up against the Austrian border.
Government coordination across these areas could smooth out some of these potential bumps, but only time will tell how well intra-app coordination will work. Until then, airline personnel, business travelers, vacationers, and regular commuters run the risk of being left behind if their origin and destination points have incompatible systems. While inconvenient, anyone traveling across borders should download and use the respective local contact tracing apps to help ensure the safety and health of themselves and others.
Overall, stark differentiation in the apps could lead to unforeseen effects, such as some cities controlling the outbreaks before others, inconclusive data, a lack of security, or a data breach. Which brings me to my final point: the need for robust security testing.
Coronavirus-related cyberattacks have shot up sharply in recent months. Google reported more than 18 million daily malware and phishing emails related to COVID-19 scams within just one week in April, and phone and text scams have recently been reported. Despite the urgency felt to develop and release these applications quickly, cyberattack numbers should give us pause as we develop software used specifically for and during a pandemic.
If developers sacrifice security for speed, users of these apps could become easy targets. Each contact tracing app should leverage comprehensive mobile application security testing in order to scan for vulnerabilities, data privacy concerns, malicious code, and other risks. Developers must also strive to fully comprehend where the data is going and how the traffic is being used. They will also need to fully understand any third-party software and supply chains that make up the application, as we often see vulnerabilities and data risks being passed on or inherited.
Anthony Bettini is CTO of WhiteHat Security. He was previously CEO and founder of container security startup FlawCheck, acquired by Tenable Research, and was CEO and founder of mobile security startup Appthority, acquired by Symantec.