COVID-19 Contact Tracing Apps
Are they securing user data properly?
On June 22, 2020, The Washington Post released an online article regarding coronavirus applications and their lack of security of users’ data. These contract tracing apps function by users self-reporting that they have tested positive for the coronavirus and the app then uses location data or anonymized Bluetooth signals to ping other users that they may have been in proximity and possibly exposed to the virus.
The article discusses how the apps are severely lacking in security and privacy protections, which make it easier for hackers to compromise the data users have stored in the app. The Washington Post reports that the developers of these applications did not implement strong digital protections that are standard on other applications dealing with sensitive personal or health related information, and some of these COVID-19 apps are even siphoning user data to third-party apps. These third-party applications could be used for targeted advertising or tracking across other non-related apps without user permissions.
"One thing that's happening with [coronavirus] is that people are giving even more of their information up as response to the crisis, or downloading an app," says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, a privacy advocacy group.
Code hardening - a way of protecting APKs and SDKs from reverse engineering and hacking.
Runtime Application Self-Protection (RASP) - uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
While analyzing the apps for these two categories, they also searched for common security protections:
Sometimes, the fastest product to the market is not always the safest, and users should always be mindful of security and privacy when submitting sensitive information online or through mobile applications.
Always consider security when utilizing applications
Call BeCloud for questions and concerns regarding Application Security