President Cyril Ramaphosa asked South Africans to download the government’s COVID-19 alert app during his latest address on 17 September 2020.

His appeal has been met with a lot of polarised opinions. There has been a lot of questions surrounding the app and whether it tracks users. The government claims that all data is anonymous and that no user tracking is involved.

The COVID-19 Exposure Notifications System

Google and Apple have developed an Exposure Notifications System (ENS). This framework works in conjunction with an official app from official public health authorities like the Department of Health.

These apps have to meet specific criteria around privacy, security and data use.

Users have to install the app on a voluntary basis. Users that get the COVID-19 virus may then share that info with the app to help alert others that they come into contact with.

If you are potentially exposed to someone with COVID-19 then the app will notify you.

Google and Apple’s Exposure Notifications API

How it works

The ENS system generates random IDs on the phone. To prevent tracking these random IDs change every 10 – 20 minutes. The phone then works in the background to share these random IDs via the phone’s Bluetooth connection to other surrounding phones.

The Bluetooth protocol only has a maximum range of 10 metres.

Your phone will collect random IDs of other users with the app installed within this 10 metres radius and then stores those IDs on your phone.

If someone reports having COVID-19 and their random ID has been stored on your phone the app will let you know what to do.

What data the app is allowed to track

According to the ENS framework, the app is only allowed to track

  • the date you were in contact with someone with COVID-19
  • how long you were in contact for and;
  • how strong the Bluetooth signal was of that contact

What data the app is not allowed to track

The Department of Health is not allowed to track the phone’s location. The ENS system does not use the user’s location or share the user’s identity with other users or with Apple and Google.

Tracking vs Data Sharing

All phones that have legitimate RICA details linked to the SIM card can be tracked easily. The NSA can for example track a phone indefinitely once they know the phone number.

In addition, the phone also has a unique indentifier linked to the networking chip, called a MAC address the doesn’t change even if the phone number changes.

Even without location tracking, it would be possible to track someone using geolocation through WiFi and mobile networks using cellular triangulation. 

Mobile phone users are increasingly paranoid about their devices tracking and snooping on them so app creators have chosen to use a Bluetooth mesh network.

https://4n6.com/cell-phone-triangulation/
https://www.eenewseurope.com/news/multi-hop-mesh-network-tech-boosts-covid-19-contact-apps

Permissions

Internet Access

Bluetooth

Access Network State

This allows the app to access information about the phone’s network state including the WiFi or mobile network that it is connected to.

Receive Boot Completed

The app has permission to auto-start once the phone has been switched on or restarted

Wake Lock Screen

Prevents the phone from entering “sleep mode”. It will keep the processor running and keep the screen on.

Foreground Service

This permission will allow the app to run as a priority app. It will continue to run even if the system is running low on resources.

Third-party services

There is sharing integrations with WhatsApp and Google Plus.

Security issues with data storage

Unsafe file deletion (HIGH)

The app exposes sensitive information to other apps that is not outright authorised to have access to that information. There is for example, a bug in this functionality which leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored on the device and all applications installed on the Android device will still be able to access these files.

Missing protections against screenshots (MEDIUM)

This relates to any element on the screen that is not part of the app. Attackers can use the exploit in the SystemUI of Android to read screenshots.

No blurring for the apps in the background (MEDIUM)

Sensitive application data can leak through screenshots taken by the user or cached by the operating system. Blurring the mobile app screen can be used to obscure screenshots or block the device’s screenshots and prevent other sensitive mobile data from being exposed.

Data storage on the device (LOW)

The app uses a vulnerable SQLite Database. The app stores sensitive information in plain text and should be encrypted. The risk is low as the attacker would need physical access to the mobile phone or a malicious application with administrator access to the device.

Security flaws in programming

The Android application exports a part of itself for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. This means any application will be able to launch this activity. This may allow a malicious app to gain access to sensitive information, modify the internal state of the app, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. (HIGH)

Debugging Information is provided. If an application is flagged as debuggable, we can inject our own code to execute it in the context of the vulnerable application process. (MEDIUM)

Missing check for download source. Allows the app to be installed from an unknown source without user interaction. (LOW)

Missing Native Code. The application can be decompiled using Reverse Code Engineering to extracting source code from the Android Package File (APK). (MEDIUM)

Location:

Geolocation 

This class provides access to the system location services. These services allow applications to obtain periodic updates of the device’s geographical location, or to be notified when the device enters the proximity of a given geographical location.

API: Landroid/location/LocationManager;->getLastKnownLocation

ISO country code equivalent of the mobile network operator 

Returns the ISO-3166-1 alpha-2 country code equivalent of the MCC (Mobile Country Code) of the current registered operator or the cell nearby.

API: Landroid/telephony/TelephonyManager;->getNetworkCountryIso

Java reflection 

This is a feature of the code that allows the the software to examine itself and manipulate internal properties of the app.

In general, this is usually a bad idea, for reasons of performance, clarity, and robustness.

API: Ljava/lang/reflect/Method;->invoke

Conclusion

Location tracking does not need to use the GPS feature of the phone. The app uses insecure data storage and does not encrypt sensitive data. Some data is uploaded to a server. The battery life of the phone will also be severely impacted by the app keeping the phone “awake”. Although these security flaws might not be intentional, there are a lot of issues that make this app vulnerable to other malicious applications that could steal your data.

Slideshow: https://slides.com/louisnelza/covid-19-alert-sa-security-audit/

Addendum

The security vulnerabilities mentioned in my security audit of the app were included in the classes.dex file inside the application. They are not all fully implemented to pose a direct security threat but are worth noting.