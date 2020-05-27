The Digital Transformation Agency has fixed a security issue with its COVIDSafe contact tracing app that exposed Android device names over Bluetooth.

The update - its third since the source code for the app was released almost three weeks ago - was pushed out on Tuesday to “further enhance the protection and anonymity of users”.

It introduces “new measures to the Bluetooth contact tracing protocol” to remove the visibility of Android devices names, as well as “an extra layer of encryption for the digital handshake”.

The issue was raised by software developer Jim Mussared and cryptographic researcher Eleanor McMurty in their comprehensive summary of the app’s privacy issues.

Prior to the update, the paid said Android phone model names and user-assigned device names were transmitted over Bluetooth, allowing for device re-identification and tracking.

As we continue to iteratively enhance the COVIDSafe app, protecting the privacy of Australian’s is at the forefront of our efforts,” the DTA said in a statement.

“We would like to thank members of the community, including software developers and researchers, who have worked with us in addressing these issues.”

Initial thoughts regarding the recent code pushed to the COVIDSafe Android repository:



It seems to use AEAD via AES-128-CBC and SHA-256 HMACs to encrypt and authenticate Bluetooth payloads.



If this is correct, it's a really strong step in the right direction; @DTA did good. — Eleanor ��✨ (@noneuclideangrl) May 27, 2020

The update also introduces a new feature that “improves accessibility for people who use text to speech technology” to navigate and use the app.

The DTA said the” improvements include better descriptions of fields within the app, such as the age range selection when registering, and better recognition of back arrows”.

Other key improvements to COVIDSafe to date include improvements to Bluetooth performance on iOS devices, including when the device is locked.

This was made possible with new code sourced from the the UK’s NHSX contact tracing app, which has been developed by the National Health Service’s healthtech unit.

However, the DTA is yet to detail whether these improvements have completely fixed the Bluetooth issues that were confirmed by the agency to impact performance on iOS devices.

The DTA will also look to improve COVIDSafe bluetooth performance further following the release of the Google and Apple exposure notification application programming interface.

According to the ABC, the DTA and the Department of Health are currently testing the API to understand how it can be applied to Australia.

The DTA said it would continue to update the COVIDSafe app based on internal reviews and feedback from the community, with the next update slated ot be released sometime in June.

“We are currently working on the next COVIDSafe update, which will be released in June,” it said.

More than six million Australians have now downloaded and registered for the COVIDSafe app.