A flaw in Google's implementation of the exposure notification framework for Android smartphones could put users' privacy at risk, with no fix in sight, researchers have found.
Google and Apple released their privacy-preserving exposures notification framework for contact tracing, in the wake of the growing Covid-19 pandemic last year.
Dr Joel Reardon of consumer data privacy firm AppCensus discovered that the Android implementation of the Google-Apple Exposure Notification (GAEN) framework writes vital information to system log files.
The system log can be read by hundreds of third-party apps with the information in them used for privacy attacks, Dr Reardon wrote.
By analysing what GAEN writes to Android log files and combining it with other data, some of which is publicly available, a range of sensitive information that de-anonymises users' health status and even location may be inferred.
Google is not following its own Android privacy and security best practices, which warn that privacy breaches have taken place when sensitive user data is logged, the researchers said.
"The key point is that one should simply not log sensitive data to the system log in the first place," Dr Reardon wrote.
"If sensitive data is saved to the system log, one loses control over what happens to it, because it is accessible to other entities."
AppCensus is now calling on Google to cease writing data that puts Android users' privacy at risk to device system logs, but the company has so far not acknowledged the problem which remains unresolved.
Dr Reardon is also asking that log data already collected by third parties has the exposure notification entries removed.
"It is crucial that any entity that has collected system log data from Android devices sanitise any entry containing contact-tracing data, and that this unnecessary logging be stopped as soon as possible," Dr Reardon wrote.
Australia does not use GAEN for its CovidSafe contact tracing app, but New Zealand does with its CovidTracer for Android and iOS.
The AppCensus research is funded by the Science and Technology Directorate under the United States government's Department of Homeland Security.
