Android App Security Flaw Exposed Covid-19 Tracing Logs

United States-based privacy analysis startup firm AppCensus revealed Tuesday, April 27, 2021, that a security flaw on the joint Covid-19 tracing application of Google and Apple on Android, called the Google and Apple Exposure Notification system (GAEN), was leaking sensitive data and tracing logs.

The Google and Apple Exposure Notification system works by leveraging the anonymized Bluetooth signals between an individual user’s device and other users who have the app or system installed to record information about how users have interacted with one another, states AppCensus in its report.

In the event a person using the system tests positive for the Covid019 virus, the app will immediately inform the relevant health authorities about the incident as well as those who came in contact with the signals of the Bluetooth device, notes The Verge.

Security Flaw Exposed Covid-19 Tracing Logs

AppCensus initially informed Google about the incident on February 19, 2021. The privacy analysis startup said that at the time the blog post was published, no patch has been issued by the tech giant. However, Google told The Verge that it was still finding a patch for the said vulnerability.

According to The Verge, the contact tracing data of GAEN is stored in the device’s privileged system memory. This incident, however, is not present on the iPhone’s exposure notification system.

However, ZD Net revealed that Google itself allows preinstalled apps by manufacturers, network operators, and commercial partners to gain access to the network logs, thereby putting the contact tracing logs of individuals in a vulnerable position.

In a blog post, AppCensus co-founder and forensics lead Joel Reardon revealed that those manufacturers and partners that have privileged access to read the system logs “are now receiving users’ medical and other sensitive information as a result of Google implementation.”

Reardon said that there are no findings that actual data logs of users have been mined or collected, reports The Verge. However, this incident still poses a risk to consumers, given how numerous preinstalled apps of the past have taken advantage of their privileged position.

Following the Android app flaw, Law 360 reports that the tech giant has been slapped with a lawsuit, potentially a class-action lawsuit, after exposing user data, with the two plaintiffs being Jonathan Diaz and Lewis Bornmann.

“Users trusting that GAEN would not disseminate personal information was critical to attracting sufficiently broad participation for the apps to play a meaningful role in the public health authorities’ COVID-19 responses. For devices running Google’s Android operating system, Google designed GAEN in a manner that rendered these representations false,” said the complaint.

The lawsuit was filed in a district court in California after the two plaintiffs claimed that Google violated the California Confidential of Medical Information Act as well as the California Constitution itself.