Apple and Google made headlines when they announced they’d be working together to bring contact tracing to smartphones all over the world. This practice, now in place in many countries, has been key to slowing the COVID-19 pandemic and preventing extensive community spread of the deadly virus.
Although Google and Apple have released the API for contact tracing to their respective devices, the two companies are not responsible for developing apps that do the actual work. Instead, they’re leaving that task for local developers and health authorities to tailor to their specific populations. Tap or click here to see how the contact tracing API works.
But now, as several of these apps get close to an official release, security researchers are concerned that they may be opening up smartphones to potential breaches of privacy and data. Here’s why they’re concerned, as well as what specific issues may cause trouble down the road.
New concerns emerge over contact tracing apps
Contact tracing apps using Google and Apple’s joint API are highly anticipated by health officials and the general public alike. But researchers at Checkpoint Security have expressed skepticism at how safe these programs will actually be for users.
According to a new report released on June 11, Checkpoint noted that developers are centering their design on the Bluetooth data exchange that occurs during the contact tracing process. While there is nothing inherently dangerous about this design aspect, the firm worries that hasty development may lead to security holes that cybercriminals can take advantage of.
Thankfully, contact-tracing is a voluntary program, and you have to opt in to use the apps and API. That said, enough people are eager to use these systems that Checkpoint has outlined four primary security concerns to be aware of:
- Bluetooth: Checkpoint notes that although the API supposedly makes the Bluetooth data packets exchanged by the API anonymous and encrypted, sloppy development on the app-makers’ part could lead to hackers matching Bluetooth data to specific phones. This could unintentionally reveal personal information contained on the device.
- Personal data: Apps (including contact tracing apps) tend to store copious amounts of user data like contact logs, encryption keys, and personally-identifying information. If the apps are not properly “sandboxed” (stored and run in a secure area of the operating system), the data could be potentially accessed and exploited. Once again, this would be a developer issue.
- GPS: The apps are supposed to rely on Bluetooth for data exchange, but it’s possible a developer could enable GPS to help pinpoint superspreader events. Doing this could reveal to hackers where users have traveled to, or worse, where they live.
- Identity theft: Should personal data be uploaded into the contact tracing app (like COVID-19 status, emergency contacts, address, phone number, or first and last name), hackers hijacking the data packet exchange could easily obtain this data and use it for personal gain.
All of these issues are pretty significant and could make the general public hesitant to use these apps going forward. To the app developers out there: Please listen. The safety of your users’ data is in your hands right now!
What can I do to protect my information if I use a contact tracing app?
If developers speed through the release process, critical safety measures could be ignored and put millions of people at risk for fraud and theft. Tap or click to see what happens when a major company rushes software development.
If you choose to use a contact tracing app to stay informed of the COVID-19 threat in your area, here a few steps you can take to protect your information:
- Bluetooth concerns: Bluetooth is essential to the contact tracing process, but you don’t need to have it on when you’re not around large groups. The phone will continuously broadcast its Bluetooth signal in the background as you use the contact tracing app, so disabling Bluetooth when you’re not around crowds or in public areas can reduce your risk.
To disable Bluetooth on iOS: Open the Settings app and tap Bluetooth. Toggle the green switch into the Off position. Turn it back on again when you will be going into crowded areas and want to receive alerts.
To disable Bluetooth on Android: Open the Settings app and tap Connected Devices followed by Connection Preferences. Tap Bluetooth and toggle the switch to turn it off. Turn it back on again when you will be going into crowded areas and want to receive alerts.
- Personal data: Avoid keeping personal information like email addresses, passwords and phone numbers in easily accessible areas like your Notes or Reminders.
- GPS: Just like with Bluetooth, disable location services and GPS when visiting crowded areas. This will reduce your risk of any malicious activity. Disabling GPS shouldn’t affect any contact-tracing features that rely on Bluetooth.
To disable Location Services on iOS: Open the Settings app and tap Privacy. Tap Location Services and turn the toggle to the Off position.
To disable Location Services on Android: Open the Settings app and tap Location. At the top, toggle Use Location to off.
- Identity Theft: If you’re using personally-identifying information along with your contact-tracing app, make sure it’s stored in a secure location like Apple’s Health app. Just like with other personal data, keeping it out of an encrypted zone can mean exposure to hackers and cybercriminals.
The best way to protect yourself, your money and identity is with Identity Guard. For a limited time, it’s offering a Junkmail and Robocall Stopper Add-on for free for Kim Komando listeners with the purchase of an Identity Guard Plan.
Since most of these contact tracing apps are still in development, we won’t have a clearer picture of their actual risks until they’re released for us to look at closer. In the meantime, let’s just hope developers heed the warnings. Getting your identity stolen after getting a COVID-19 exposure alert will just add insult to injury.