Privacy-busting contact tracing data logged on Android

By on
Privacy-busting contact tracing data logged on Android
Source: AppCensus

Google will not acknowledge or fix faulty EN implementation.

A flaw in Google's implementation of the exposure notification framework for Android smartphones could put users' privacy at risk, with no fix in sight, researchers have found.

Google and Apple released their privacy-preserving exposures notification framework for contact tracing, in the wake of the growing Covid-19 pandemic last year.

Dr Joel Reardon of consumer data privacy firm AppCensus discovered that the Android implementation of the Google-Apple Exposure Notification (GAEN) framework writes vital information to system log files.

The system log can be read by hundreds of third-party apps with the information in them used for privacy attacks, Dr Reardon wrote.

By analysing what GAEN writes to Android log files and combining it with other data, some of which is publicly available, a range of sensitive information that de-anonymises users' health status and even location may be inferred.

Google is not following its own Android privacy and security best practices, which warn that privacy breaches have taken place when sensitive user data is logged, the researchers said.

"The key point is that one should simply not log sensitive data to the system log in the first place," Dr Reardon wrote.

"If sensitive data is saved to the system log, one loses control over what happens to it, because it is accessible to other entities."

AppCensus is now calling on Google to cease writing data that puts Android users' privacy at risk to device system logs, but the company has so far not acknowledged the problem which remains unresolved.

Dr Reardon is also asking that log data already collected by third parties has the exposure notification entries removed.

"It is crucial that any entity that has collected system log data from Android devices sanitise any entry containing contact-tracing data, and that this unnecessary logging be stopped as soon as possible," Dr Reardon wrote.

Australia does not use GAEN for its CovidSafe contact tracing app, but New Zealand does with its CovidTracer for Android and iOS.

The AppCensus research is funded by the Science and Technology Directorate under the United States government's Department of Homeland Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
appcensus apple covid19 dhs google privacy security software

Sponsored Whitepapers

Customer Identity and Access Management for Dummies
Customer Identity and Access Management for Dummies
Empowering workforces in the new environment
Empowering workforces in the new environment
Is the technology refresh dead?
Is the technology refresh dead?
DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data

Events

Most Read Articles

NBN Co already wants to upgrade some FTTC users to full fibre

NBN Co already wants to upgrade some FTTC users to full fibre
John Holland breaks first ground on three-year digital transformation

John Holland breaks first ground on three-year digital transformation
NBN subcontractors join nationwide protest

NBN subcontractors join nationwide protest
Starlink satellite internet service gets 500,000 preorders

Starlink satellite internet service gets 500,000 preorders

Log In

Email:
Password:
  |  Forgot your password?