Privacy-busting contact tracing data logged on Android

By on
Privacy-busting contact tracing data logged on Android
Source: AppCensus

Google will not acknowledge or fix faulty EN implementation.

A flaw in Google's implementation of the exposure notification framework for Android smartphones could put users' privacy at risk, with no fix in sight, researchers have found.

Google and Apple released their privacy-preserving exposures notification framework for contact tracing, in the wake of the growing Covid-19 pandemic last year.

Dr Joel Reardon of consumer data privacy firm AppCensus discovered that the Android implementation of the Google-Apple Exposure Notification (GAEN) framework writes vital information to system log files.

The system log can be read by hundreds of third-party apps with the information in them used for privacy attacks, Dr Reardon wrote.

By analysing what GAEN writes to Android log files and combining it with other data, some of which is publicly available, a range of sensitive information that de-anonymises users' health status and even location may be inferred.

Google is not following its own Android privacy and security best practices, which warn that privacy breaches have taken place when sensitive user data is logged, the researchers said.

"The key point is that one should simply not log sensitive data to the system log in the first place," Dr Reardon wrote.

"If sensitive data is saved to the system log, one loses control over what happens to it, because it is accessible to other entities."

AppCensus is now calling on Google to cease writing data that puts Android users' privacy at risk to device system logs, but the company has so far not acknowledged the problem which remains unresolved.

Dr Reardon is also asking that log data already collected by third parties has the exposure notification entries removed.

"It is crucial that any entity that has collected system log data from Android devices sanitise any entry containing contact-tracing data, and that this unnecessary logging be stopped as soon as possible," Dr Reardon wrote.

Australia does not use GAEN for its CovidSafe contact tracing app, but New Zealand does with its CovidTracer for Android and iOS.

The AppCensus research is funded by the Science and Technology Directorate under the United States government's Department of Homeland Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
appcensus apple covid19 dhs google privacy security software

Sponsored Whitepapers

Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams

Events

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
Any Android security app is better than Google Play Protect

Any Android security app is better than Google Play Protect
Toll Group starts to scale out intelligent automation

Toll Group starts to scale out intelligent automation
Square to buy Australia's Afterpay for $39 billion

Square to buy Australia's Afterpay for $39 billion

Log In

Email:
Password:
  |  Forgot your password?