Australia’s tech community has spent the last 24 hours reverse-engineering the government’s COVIDSafe app to see how it works, and whether there’s anything to be worried about. Here’s what they’ve found out so far.
Following its launch on Sunday, the government's new COVID-19 tracer app 'COVIDSafe' has been downloaded by more than 1.89 million Australians.
The app, which the government is urgently encouraging the public to install, is aimed at helping health officials quickly identify anyone who has come into contact with a confirmed case of coronavirus.
It does this by using Bluetooth technology to keep a record of any time two users of the app spend more than 15 minutes within 1.5 metres of each other. If a user of the app is diagnosed with coronavirus, they can consent to have their recent contacts shared with health authorities.
If enough Australians download the app, health experts say it could have a huge impact in the fight to contain coronavirus. Meanwhile, tech and privacy experts have raised concerns about the data the app will collect.
Last week before the app's release, we explained how the technology was expected to work, and the key privacy concerns that had experts worried. Now that COVIDSafe is available for download, here's what experts have to say about whether it's up to scratch, and whether you should install it.
Software developers have reverse-engineered the COVIDSafe app. Here's what they discovered.
Before COVIDSafe was released, tech and privacy experts called on the Australian government to release the full source code, which would allow independent experts to find problems, offer solutions, and confirm that the app functioned as the government promised it would.
The government has not yet released that source code, though federal health minister Greg Hunt told the ABC on Monday that it would be released within two weeks.
While we wait for that source code, Australian software developers have begun to reverse-engineer the app instead, sharing their findings on social media.
On Sunday, software developer Matthew Robbins successfully downloaded and decompiled the source code for the Android version of the app.
Robbins has been working in tech for about 10 years, and has focused on app development for the last eight. He's not an expert on privacy -- we'll get to that -- but he knows a lot about how to build apps, and how to work out whether this one does what the government says it does. Over the past 24 hours, he and other software developers have been examining the COVIDSafe app, and learning what they can from the code.
Many of those findings are quite positive: on Twitter, Robbins confirmed that the app functions as expected, storing data securely on a user's phone, only recording signals from other phones that also have the app installed, automatically deleting all records after 21 days, and only uploading data to health authorities if a user gives permission.
The app also does not record a user's location (if you're an Android user and you get a message asking for access to location data when you install the app, this is an unfortunate quirk of Android -- when you ask for the kind of Bluetooth access an app like this needs, it automatically asks for location permissions too. COVIDSafe still does not record or use location data).
Robbins told The Feed he decompiled the app in his free time because he was curious, but said he was satisfied by what he saw.
"The data they're gathering is, for lack of a better phrase, relatively benign," he said. "I'm fairly confident in how the app has been built."
A couple of things stood out to Robbins as small mistakes, but he chalked those up to the speed with which the government was pushing to get the app released.
While he would still like to see the government release the full source code -- including for the iOS app, which is more difficult to reverse-engineer than the Android version -- on the whole Robbins said he did not come across any major red flags.
"I think it's absolutely worthwhile installing," he said.
A number of other experienced software developers have also reviewed the code and encouraged Australians to install the app.
If you're interested in the finer technical details, software engineer Geoff Huntley is documenting the Australian tech community's dissection of the source code in detail here.
The app has been live for 24 hours. What problems have been discovered?
A few potential problems have been identified with the COVIDSafe app so far.
Once key concern surrounds whether users understand how to ensure the app is working on their phone. The app must be kept open and running in order to work -- you can use other apps on your phone, but COVIDSafe needs to stay open in the background while you're out and about.
Some experts have raised concerns that COVIDSafe may actually stop working on iPhones in some circumstances. When an iPhone enters low power mode, or when too many different apps are using Bluetooth, it is possible that COVIDSafe will stop working.
To date, the government has offered conflicting advice about what users need to do to check that the app is functioning. Currently, the government's COVIDSafe website advises iOS users that if their app has not been working for at least 24 hours, they will receive a notification with instructions on how to troubleshoot.
It's also difficult to say at this point whether the app will drain your phone battery; experts are divided, and we'll see in coming days.
These problems do not pose a security concern for app users, but may impact the effectiveness of the app if they're not addressed. Once again, experts are calling for the release of the iOS source code so they can look into performance issues and suggest fixes where possible.
Do security experts still have concerns about the COVIDSafe app?
Security experts do still have concerns about the COVIDSafe app. As for whether those security concerns should stop you from installing the app, experts say it really depends on your individual circumstances. Here's why.
Last week, before the app was released, The Feed spoke to privacy expert Professor Dali Kaafar, who is the Executive Director of the Optus Macquarie University Cyber Security Hub. Professor Kaafar outlined a number of the privacy concerns raised by an app like COVIDSafe, many of which still apply to the app today.
One key concern raised by Kaafar and other experts is the fact that data collected by the app will be uploaded to a central server. As Professor Kaafar told The Feed, whoever has access to the central server of an app like this has access to a huge amount of information. If that server is hacked, or accessed by someone malicious, there's a lot they can do with this information.
Since the app's release, other privacy experts like ANU Associate Professor Vanessa Teague have pointed out other concerning information that the app records and shares. For instance, the Australian app stores the make and model of the different phones and devices it encounters in plain text, readable to anyone with access to the phone and a little tech savvy.
"Although it may seem innocuous, the exact phone model of a person's contacts could be extremely revealing information," Teague and colleagues wrote in a blog post on Monday.
"Suppose for example that a person wishes to understand whether another person whose phone they have access to has visited some particular mutual acquaintance. The controlling person could read the (plaintext) logs of COVID Safe and detect whether the phone models matched their hypothesis."
"Although not very useful for suggesting a particular identity, it would be very valuable in confirming or refuting a theory of having met with a particular person."
Professor Kaafar is also concerned that the central authority may receive more information than a user realises. As Kaafar explained, if Person A is diagnosed with coronavirus and consents to upload their contacts, they may reveal that they recently hung out with Person B and Person C. The central authority now knows that Person B and Person C met, but neither of those people are necessarily aware that this information has been shared.
This, Professor Kaafar says, is where individual circumstances come in.
"This information might not really be sensitive for lots of people, but it might be really important for others. For example, two politicians from two different political parties who are meeting, or a journalist and a politician meeting."
Professor Kaafar says that many of these privacy issues could be fixed by relatively small changes to the app; an international coalition of experts has also pointed out that it's possible to create a tracing app that does not upload information to a central authority at all.
Until those changes are made, Professor Kaafar told The Feed he personally will not be installing the app, but he's not quite sure what to advise other Australians to do.
"Whether I would be recommending installing it or not, I really don't know -- I actually find it to be a really tricky question," he said.
"I think the government has taken some privacy considerations into perspective, but it didn't hit some of the major ones. It did try to have some good intentions, though, for example to make sure that the location is not collected, and that the data will definitely be removed after 21 days."
"I think one important thing is that privacy is very personal. Some co-location information might be really sensitive for some people, and for others it might be completely irrelevant."
"I can't really give a binary recommendation here, but I will be sitting and waiting. We need a little more transparency on the tech and legislative aspects."
Should I install COVIDSafe?
Here's the upshot. The COVIDSafe app was rushed for a reason: we're in the midst of a pandemic. If we want to start opening up society again, being able to quickly identify anyone who may have been exposed to a new case of COVID-19 is crucial.
If enough Australians download this app and use it correctly, it's possible that it will really help out in this regard. But in order for the app to be effective, the government says at least 40 per cent of Australians need to be using it, if not more. That's close to 10 million people who need to sign up; as of Monday evening, we have just shy of two million.
Your personal decision about whether to use the app will probably hinge on what privacy means to you -- and as Professor Kaafar stressed, this is a personal call.
"What frustrates me the most in this sort of debate is putting this as a dilemma between 'helping people' and 'privacy'," he said. "It's really very bad to be positioning this as if people who care about privacy are selfish, while the others are okay."
David Vaile is the Stream lead for data protection and surveillance at the Allens Hub for Technology, Law and Innovation at UNSW. "In principle for something like this that potentially creates a centralised store of social graph information, reliant on legal and technical fixes for protection, you would advise caution," he said. "The public health concerns are however also very important, which is why it is hard."
If you ultimately decide that COVIDSafe isn't for you right now, remember that there's potential for plenty of this to change as the app is updated and improved. We'll keep you posted as that happens.
People in Australia must stay at least 1.5 metres away from others and gatherings are limited to two people unless you are with your family or household.
If you believe you may have contracted the virus, call your doctor (don't visit) or contact the national Coronavirus Health Information Hotline on 1800 020 080. If you are struggling to breathe or experiencing a medical emergency, call 000.
SBS is committed to informing Australia's diverse communities about the latest COVID-19 developments. News and information is available in 63 languages at sbs.com.au/coronavirus.