Google exposes sensitive data by the wrong implementation of COVID-19-exposure tracking system

Researchers report finding multiple security flaws in Google support for contact tracking apps that could expose sensitive information. Experts report that these failures lie within the framework of Google-Apple Exposure Notifications (GAEN), funded by the U.S. Department of Homeland Security (NHS). This is a framework that allows users to keep track of coronavirus contagions recorded in the places they visit.

GAEN offers a decentralized system for Bluetooth-based mobile contact tracking applications. The framework is designed to help public health authorities manage the spread of coronavirus and save lives. With the coronavirus-exposure notification system, neither Google or Apple or any other users can see the user’s identity, as all registration occurs on a user’s device.

AppCensus experts have emphasized that there is no problem with COVID-19 contact tracking apps, although what concerns them is Google’s implementation of what was supposed to be a privacy preservation technology.

This hypothesis is based on the gaEN-based applications, developed jointly by Apple and Google, with severe security flaws, and Google’s GAEN implementation records sensitive information.

While this data could be read by hundreds of third-party apps, apps downloaded from the Google Play store have not been able to access system logs since 2012. Still, Google allows smartphone developers, network operators and their business partners to pre-install high-privileged applications on the system, experts mention.

This is a particular issue because the logs contain progressive proximity identifiers (RPI), which are transmitted from other devices by running the contact tracking app that are within reach of a user’s device. The log also contains details of the RPI, which change approximately every 15 minutes; As a final result, applications developed by device manufacturers such as Samsung and Xiaomi with the ability to read system logs can also access sensitive data from devices running Bluetooth-based tracking apps.

Experts do not claim that it is the fault of device manufacturers, as they claim that this is due to Google’s registration of sensitive data in the system registry in the first place, which will surely result in Google’s improper implementation of the GAEN mechanism.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.