Display screens of Ontario's COVID-19 exposure notification app, to be released July 2.

Published: July 9th, 2020

With Ontario still delaying the release of the beta version of the federal-endorsed COVID-19 exposure notification mobile app, an executive of a bug bounty platform warns that confidence in any app will depend on the ability of the public to analyze and report holes in the software.

“The big thing we’ve been advocating for is making sure at the very least there is a vulnerability disclosure program in place,” Casey Ellis, CTO and founder of Bugcrowd, said in an interview. “Security researchers are interested in their own safety as probable users of this app,” he said, so for that reason alone, they want to be able to feedback any issues to app developers.

“That needs to be backed up with a fairly robust intake method and a robust ability to make changes and issue security fixes should they be necessary.”

He acknowledged that’s true for any application, but Ellis believes it’s particularly important for COVID contact tracing/exposure notification apps because they are being developed quickly “and speed is the natural enemy of security.”

Vulnerability reporting will also help improve public confidence, he added, because they will see that bugs are being fixed.

The importance of issuing security updates was underscored in a recently-published study of security and privacy issues of 34 Android COVID-19 contact tracing applications by five university researchers (four from Australia) and a researcher from Australia’s national science research agency.

None of the apps were built around the decentralized Apple-Google framework on which the federally-endorsed app that Ontario is about to test is constructed upon. It doesn’t collect any location data, nor send any data to a centralized server. Most of the apps studied by these researchers used a centralized model. So does Alberta’s ABTraceTogether app, which uses code from Singapore’s TraceTogether app.

The researchers from about 70 per cent of the apps studied posed potential security risks either because they use cryptographic algorithms that are insecure or not part of best practice; or because they stored sensitive information in clear text that could be potentially read by attackers.

Over 60 per cent of apps posed vulnerabilities through what they called manifest weaknesses such as allowing permissions for backup which would result in the copying of potentially unencrypted application data. Three-quarters of the apps contained at least one tracker, potentially causing serious privacy data leakage.

“The results demonstrate that there is no solution that is able to protect users’ privacy against all of the attacks investigated,” the researchers concluded.

However, they also said that “generally, Bluetooth-based decentralized solutions that avoid direct location tracking outperform centralized systems” on privacy issues. Both the Alberta and Canadian apps use Bluetooth.

The study’s findings were reported to app developers May 23rd. Between then and the release of the study some app developers had responded. For example, all potential privacy leakage in apps from Singapore, Vietnam and Spain had been fixed. The trackers in the app from Malaysia had been removed. One U.S. app was been taken out of the Google Play store.

On the other hand, new vulnerabilities were found in updated apps in India and Spain.

The study suggests COVID-19 contact tracing and exposure notification apps inevitably come with security and privacy issues. Still, the researchers found that the majority of security patches are straightforward. For example, over 70 per cent of the studied apps use insecure hash functions such as SHA-1 and MD5 or store sensitive information in cleartext.

Solving privacy issues, the researchers admitted will be harder. “To the best of our knowledge, there are no solutions that can protect users’ privacy against all potential attacks.”

One key conclusion: “To ensure security and remove potential vulnerabilities, code should be released for public review.”

On June 18 Prime Minister Justin Trudeau announced a COVID-19 notification app developed by the government’s Canadian Digital Service, Ontario’s Digital Service and volunteers from online retail platform Shopify. Built on the Apple-Google framework the app is getting a security review from BlackBerry.

The app was supposed to be released in Ontario on July 2nd for beta testing. Asked this week why it hasn’t been launched an Ontario official referred to a statement that day from Premier Doug Ford, who said he’s ready to release the app but suggested Ottawa is holding back until it gets more provinces to agree to adopt it.

The Ontario official said when released the app will support most phones released in the last five years, including iPhone 6S or newer and Android phones running Android 6.0 or later. “We estimate that this includes at least 95 per cent of iPhones currently in use and over 85 per cent of Android devices.”

UPDATE: A spokesperson for the Canadian Digital Service, which helps design federal applications, said Apple devices will need to run iOS 13.5.