Google To Fix Issue That Allowed Other Apps To Access COVID-19 Contact-Tracing Data

Remember the Google and Apple COVID-19 contact-tracing API that the two companies co-developed in 2020?

An issue in Android reveals an issue with Android’s implementation of the COVID contact-tracing API. The problem resides in the Google-Apple Exposure Notification (GAEN) system used by many countries and regions to do digitally assisted contact tracing, according to Joel Reardon, the forensics lead and co-founder of AppCensus.

AppCensus analyzes free, publicly available Android apps and reports the private and personally identifying information that different apps access and share with other parties over the Internet.

Since at least February 2021, some apps that didn’t need access to the data in the contact-tracing logs were able to see it.

Reardon explains that the GAEN logs important pieces of information to the system log, which can be read by hundreds of third-party app users and used for the privacy attacks that the site previously warned about.

The GAEN uses what Reardon calls random-looking rolling proximity identifiers (RPIs) that broadcast through Bluetooth in a user’s phone and can be heard by other nearby Bluetooth-enabled phones.

Every 15 minutes, these RPIs change, so a user cannot be tracked through the RPIs that they broadcast.

While there is no evidence that the data has been compromised by apps other than those that use COVID-19 APIs, the post clearly calls attention to the data logged, and explains why this logging is so concerning. The only apps that can access the are those pre-installed on the device.

Among the data Google Mobile Services (GMS) logs, the current Bluetooth MAC address of the sending device. A more technical description is found here.

A Google spokesperson told 9To5Google that the company is committed to rolling out a fix for this issue. “

We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this,” said a Google spokesperson.

Next story loading loading..