Vetting Security and Privacy of Global COVID-19 Contact Tracing Applications
The rapid spread of COVID-19 has made traditional manual contact tracing to identify potential persons in close physical proximity to an known infected person challenging. Hence, a number of public health authorities have experimented with automated contact tracing apps. While the global deployment of contact tracing apps aims to protect the health of citizens, these apps have raised security and privacy concerns. In this paper, we assess the security and privacy of 34 exemplar contact tracing apps using three methodologies: (i) evaluate the design paradigms and the privacy protections provided; (ii) static analysis to discover potential vulnerabilities and data flows to identify potential leaks of private data; and (iii) evaluate the robustness of privacy protection approaches. Based on the results, we propose a venue-access-based contact tracing solution, VenueTrace, which preserves user privacy while enabling proximity contact tracing. We hope that our systematic assessment results and concrete recommendations can contribute to the development and deployment of applications against COVID-19 and help governments and application development industry build secure and privacy-preserving contract tracing applications.
READ FULL TEXT