Analysts reverse engineer COVIDSafe app to pull apart its functionality

Analysts who reverse engineered the government’s COVIDSafe app have verified its security but say it may store more data than we think.

Chris Griffith

5 min read

12:52PMApril 28, 2020.

Updated 10:29PMMay 11, 2021

Covidsafe app screengrabs - iphone. Custom Crop 650 x 460.

Analysts who reverse engineered the government’s COVIDSafe app have given it a clean bill of health security wise but have revealed it may store more data than we think.

Analysis has appeared online in the past 24 hours ahead of government plans to release the source code.

One analysis is by QTE.AM, a group of Australian research and development companies that work on tech projects in artificial intelligence, photonics, and robotics. Their analysis is mainly based on reverse engineering the Android version of the app.

“With the caveat of working only with a decompiled code base rather than full source code, we could find no significant security flaws, no GPS and location tracking or unexpected server communication within the application and no behaviours significantly outside the stated purpose of this contact tracing application,” the analysis says.

Its detailed report on how the application works concurs with much of what the government says about how the app operates.

It confirms that the COVIDSafe app operation involves interaction with a central server. After a user registers, the app requests an anonymous ID from the central server.

The report says the app makes this anonymous ID available over Bluetooth so it can be scanned by nearby devices. “This advertising seems to run almost permanently with what appears to be approximately 5 second breaks every 5 minutes,” the report says.

It says a device scans every 36 to 43 seconds for other nearby signals of phones running the COVID-19 app.

Scanned information is saved to a database on the phone, as the government claims. Records contain the anonymous ID of the detected phone, the Bluetooth signal strength that was being transmitted, the Bluetooth signal strength that was received, and the model of the phone detected.

However it seems that the phone collects many more records than just of people you encounter within 1.5 metres for 15 minutes.

First, it seems the app has no way of knowing the distance to another Bluetooth signal without knowing its emitting signal strength. A phone might have a weak Bluetooth signal and appear far away, but it could be relatively close because it uses less power.

It seems the app records the models of phones it has encountered so that it can look up a table of relative signal strength to calculate distances away. The initial analysis suggests that this calculation is done by the central server rather than the phone, in which case the phone would have no way of knowing immediately whether to store or ditch a record on the basis of distance. It would have to store many more records of encounters than needed by the app, so that distance can be analysed later.

Secondly, to know that a phone was in contact with another phone for 15 minutes or more, the phone would have to store interim records of all Bluetooth encounters after each 40 second or so sweep, and then compare records to work out if a phone it contacted now had appeared in earlier sweeps.

Jessica Glenn, executive chair at Q Team, says it seems that all device detections are sent to servers when a person tests positive and agrees to release them, and filtered there.

"From our analysis of the decompiled code the application on the user's device doesn't appear to determine 15 minute increments, or 1.5 metre distances in order to filter device detections. Instead it seems that the records from all detected devices that are running the COVIDSafe app are stored for 21 days, and then if a user requests, are sent to the central datastore."

This suggests the COVIDSafe app would store more encounters on the phone than ones within 1.5 metres and at 15 minute intervals, but the view by QTE.AM still is that personal data is stored securely.

She says data is stored on phones in a way that it can’t be accessed by other applications on the device. “However it is accessible by the user by backing the database up to a computer. This requires Android debug tools and developer mode enabled on the device, so isn’t immediately accessible on all devices. That being said, once the data is off the device it does not appear to be encrypted.”

The report says that if a user tests positive to COVID-19, all recorded Bluetooth contact events are uploaded to the Amazon Web Services (AWS) data store, not just those that are within a 1.5 metres for 15 minutes threshold, and it seems distance filtering is likely to occur at that time.

It says most of the COVID-19 code has been all but copied from the Singapore Government's OpenTrace implementation which is available on GitHub.

“This is excellent as it uses code that has been tested thoroughly and used in a production environment, instead of reinventing the application from scratch.”

The COVIDSafe app. Picture: AFP

However it says the storage of all interactions seems excessive, scanning intervals could be relaxed to preserve battery life, and the interactions (stored on Android phones) should be encrypted, albeit that the user IDs are anonymous already.

“With the absence of the promised source code it is hard to give a full analysis of the applications, especially for the iOS version,” the report says.

“However, with the information that has been gleaned by reverse engineering the apps it seems that this is a relatively good implementation that mostly follows best practices.”

Macquarie University Professor of Computing Dali Kaafar said that the COVIDSafe app would ask the central server to send it a new encrypted ID every two hours to further obfuscate a user’s identity on their phone.

He said Macquarie University had done its own “dynamic analysis” and had also established that the records of phone model, and Bluetooth strength and user ID stored on phones was not encrypted – only user IDs coming from the central server.

He said it was hard to know what the functionality of software stored on the central server without its source code also being released.

He said it was clear that much of the COVIDSafe app code came from the TraceTogether app.

Professor Kaafar said it may take time to detail any security vulnerabilities including whether the app was vulnerable to “man in the middle” attacks.

While critical of some technical aspects of the app, Professor Kafaar has supported the government’s plan to release a contact tracing app.

Marc Rogers, Executive Director of Cybersecurity Strategy at Okta and Head of SecOps for DEF CON, said the designers of Bluetrace (the technology that the app is based on) had recommended that encrypted IDs were rotated every 15 minutes, which is what the Apple Google alliance was doing. However, according to the privacy policy, the Australian app only rotates encrypted Bluetooth IDs every two hours.

“On some devices there also appears to be a bug in the app that means it fails to rotate the ID at all until the user reboots their phone. Given the extended length between rotations, it would be easy to track app users for long periods of time.

“ Secondly, the app transmits the model of the user’s phone together with the encrypted ID. Taken together, these two flaws offer enough information for any commercial Bluetooth tracking tool, or even a free Bluetooth tracking app, to track a COVIDSafe user. This is a big problem from a privacy perspective.”