40% of COVID-19 Tracking Apps Fail to Protect Personal Data
An analysis of 95 mobile apps designed to track contacts of people infected with COVID-19 has revealed that 60% of them use the official exposure notification API. However, the remaining 40% lack even basic privacy protection measures.
Mobile apps that help authorities identify potential carriers of the virus have been launched in many countries in response to the COVID-19 pandemic. These apps collect usersβ personal information and geolocation data, and can notify smartphone owners about possible exposure risks.
Because the data collected by COVID-19 apps is highly sensitive, protecting these apps from hacking is especially important. A study conducted by cybersecurity company Guardsquare in June evaluated the security of these apps and the risk of privacy breaches.
The sample included 52 dedicated Android apps and 43 iOS apps. These apps are used worldwide, including in 13 U.S. states and two U.S.-controlled territories. The security of the app code and user data was assessed using six different criteria.
The study found that the secure APIs developed by Google and Apple for exposure notifications are used by 62% of Android apps and 58% of iOS COVID-19 apps. The remaining apps are either completely unprotected or have only minimal security features.
Experts also discovered that apps using GPS and/or Bluetooth to collect sensitive data often do so in an insecure manner.
βApps, especially those that require access to personal data or location information when installed on a mobile device, should always have proper safeguards for code integrity and the privacy of collected data,β said Grant Goodes, Head of Research at Guardsquare. βTo effectively limit the spread of COVID-19, developers, health authorities, and governments must pay close attention to the security of contact tracing apps.β