The slides for the presentation in ICSE'21 technical track. The rapid spread of COVID-19 has made traditional manual contact tracing to identify persons in close physical proximity to a known infected person challenging. Hence, various public health authorities have experimented with automating contact tracing with mobile apps. However, these apps have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool, COVIDGuard, which combines identification and analysis of Personal Identification Information (PII), static program analysis, and data flow analysis, to determine security weaknesses and potential private information leakage in contact tracing apps. Further, in light of our findings, we undertake a user study to investigate user concerns regarding contact tracing apps. We hope, COVIDGuard and the issues raised through responsible disclosure to vendors, the concrete guidelines provided, as well as the identified gaps between user requirements and app performance we found, can contribute to the development and deployment of mobile apps against COVID-19 and help us build secure and effective digital contact tracing solutions.

1. An Empirical Assessment of Global COVID-19
Contact Tracing Applications
ICSE’21
https://arxiv.org/abs/2006.10933
Ruoxi Sun*, Wei Wang*, Minhui Xue*,
Gareth Tyson+, Seyit Camtepe$, Damith C. Ranasinghe*
* The University of Adelaide
+ Queen Mary University of London
$ CSIRO-Data61

2. Motivation
• The rapid spread of COVID-19 has made
traditional manual contact tracing challenging.
• A number of public health authorities have
experimented with automated contact tracing
apps.
• These apps have raised security and privacy
concerns.

3. Main Contributions
We develop COVIDGuardian, the first automated security
and privacy assessment tool that tests contact tracing apps.
We assess the security and privacy status of 40 worldwide
Android contact tracing apps.
We identify 4 major privacy and security threats against
contact tracing apps.
We also conduct a user study involving 373 participants, to
investigate user concerns and requirements.
We have disclosed our security and privacy assessment
reports to the related stakeholders.

4. Overview

5. Centralized Decentralized
• Collects the contact records from
diagnosed users
• Evaluates health status by server
• Collects the token of diagnosed users
• Evaluates health status by users
Contact Tracing Applications
Google and Apple
NHS COVID-19, UK
Corona Warn App, Germany
TraceTogether, Singapore
COVIDSafe, Australia
StopCovid, France

6. Security Assessment

7. Security Assessment - Methodology
An overview of our security and privacy assessment methodology
COVIDGuardian

8. Security Assessment - Results
• Use at least one deprecated cryptographic algorithm (73%)
• Allow “Clear Text Storage” (55%)
• Allow Backup (43%)
• Contain trackers (75%)
• The top sources of sensitive data: Location and
database.Cursor
• Most of the sensitive data will be transferred to sinks, such as
Bundle, Service, and OutputStream
• Some apps transmit location information through SMS
messages
• We discovered one application, Stop COVID-19 KG (Kyrgyzstan),
containing malware.

9. Security Assessment – Regression Testing
• One month after disclosing our findings with the
developers, we re-checked the new versions of contact
tracing apps.
• Fixed security issues - TraceTogether, BluZone, STOP
COVID19 Cat
• Removed trackers - Mysejahtera
• No longer available in Play Store - Contact Tracer
• New vulnerabilities are identified in some apps
• The urgency of app developments may impact quality
assurance procedures

10. Privacy Risk Evaluation – Potential Attacks
Linkage attack by the server Linkage attack by users
False-positive claims Relay attack

11. Privacy Risk Evaluation - User Privacy Exposure
- Secure, No data is shared with a server or users;
- Medium-risk, Non-PII tokens are shared with proximity users;
- Medium-risk, Non-PII tokens are shared with the server;
- High-risk, PII is shared with a server;
- Highest-risk, PII is released to public.
- The system is well protected
- The system is at-risk
- Inadequate information to conduct an assessment
- Centralized system
- Decentralized system

12. User Study - Design
• 373 volunteers in Australia
• Age - 18-29 years old
• Nationality - 58% Oceania, 20% Asia
• Gender - 59% female, 39% male
• Education - 30% high school, 67% university graduates
Participants Survey Protocol
• Questionnaire with 5-point Likert scale questions
• Pencil-and-paper and online
• Likelihood of using contact tracing apps
• Functionality scenarios
• Accuracy of proximity contact detection
• Accuracy of at-risk alarm
• Privacy scenarios
• PII leakage
• Provide data to authorities if diagnosed
• Concerns about use of contact tracing apps
• Usability
• Effectiveness
• Concerns about privacy
Privacy Scenarios
• Type A - Centralized, PII collected
• Type B - Centralized, non-PII collected
• Type C - Decentralized, PII collected
• Type D - Decentralized, non-PII collected

13. User Study - Results
- Extremely likely
- Extremely unlikely
- Extremely likely
- Extremely unlikely
- Extremely unconcerned
- Extremely concerned
• Privacy design and tracing accuracy impact the
likelihood of app use.
• Users are more likely to accept and use apps
with better privacy by design.
• If PII data is collected, users prefer a
centralized solution

14. Future Works
• Examine Bluetooth Low Energy and network
traffic originating from contact tracing
• Examine any vulnerabilities associated with iOS
counterparts.

15. Thank you!
Ruoxi Sun
ruoxi.sun@adelaide.edu.au
Supervised by Minhui (Jason) Xue
jason.xue@adelaide.edu.au