The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission. 

Google’s contact-tracing system has left data accessible to hundreds of apps for months

The ‘obvious’ issue had been in Android for years, but Google apparently did not consider fixing it before rolling out the coronavirus framework

Adam Smith
Wednesday 28 April 2021 12:59 BST
Comments
(Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Google’s coronavirus contact tracing framework, which alerts users if they have been near someone with COVID-19, has been making its data available to third-party apps.

The software giant had been informed of the privacy issue since February, a report from The Markup alleges, but said that the issue was not a “severe enough” flaw.

The contact-tracing framework is built into Android devices, but can communicate with iPhones. It works by monitoring the phone’s owner via Bluetooth, but the data should only be available to official apps of public health authorities such as the “NHS COVID-19” app, which is being used by 16 million people.

However, hundreds of preinstalled apps including Samsung Browser and Motorola’s MotoCare on Android devices have access to this potentially sensitive information. The signals that the contact tracing data generates are saved into its device system logs, which companies have permission to read for crash report and analytics.

The information includes data about whether a phone registered a person as being in contact with someone who had the coronavirus, the device’s name, MAC address, and advertising ID, security researchers said.

Google had pledged that “the list of people you’ve been in contact with doesn’t leave your phone unless you choose to share it”.

Researchers from the privacy analysis firm AppCensus raised the problem to Google in February 2020, as part of the US Department of Homeland Security’s testing. Google reportedly did not change it.

“This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works, ” Joel Reardon, co-founder and forensics lead of AppCensus, told The Markup. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”

Reardon apparently reached out to Google’s bug bounty program concerned about the issue on 19 February. Google said that the finding did not merit a serious enough flaw to merit a reward, but a panel would look through the findings in a subsequent meeting.

The Google security team eventually sent an automated email that they would “decide whether they want to make a change or not”, but Reardon received no communication from Google since.

“Exposure Notifications uses privacy preserving technology to help public health authorities manage the spread of COVID-19 and save lives. With the Exposure Notification system neither Google, Apple, nor other users can see your identity and all of the Exposure Notification matching happens on your device. We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes”, Google said in a statement to The Independent.

“Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code. These Bluetooth identifiers do not reveal a user’s location or provide any other identifying information and we have no indication that they were used in any way - nor that any app was even aware of this.”

However, Reardon had contacted Giles Hogben, Android’s director of privacy engineering, later in February. Hogben said that “[System logs] have not been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11 (can check exactly when but I think back as far as 4),”

Google did not provide an answer as to why, if the company knew about these issues before Android 11, they were not fixed prior to the rollout of the contact tracing framework, nor why it did not provide Reardon with a response to his messages.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in