Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
research-article
Public Access

Checking Contact Tracing App Implementations with Bespoke Static Analysis

Published: 28 September 2022 Publication History

Abstract

In the wake of the COVID-19 pandemic, contact tracing apps have been developed based on digital contact tracing frameworks. These allow developers to build privacy-conscious apps that detect whether an infected individual is in close proximity with others. Given the urgency of the problem, these apps have been developed at an accelerated rate with a brief testing period. Such quick development may have led to mistakes in the apps’ implementations, resulting in problems with their functionality, privacy and security. To mitigate these concerns, we develop and apply a methodology for evaluating the functionality, privacy and security of Android apps using the Google/Apple Exposure Notification API. This is a three-pronged approach consisting of a manual analysis, general static analysis and a bespoke static analysis, using a tool we have developed, dubbed MonSTER. As a result, we have found that, although most apps met the basic standards outlined by Google/Apple, there are issues with the functionality of some of these apps that could impact user safety.

References

[1]
Google. Google/Apple exposure notifications: Android API documentation PDF. Version 1.3.2. 2020. https://web.archive.org/web/20200603200341/https://static.googleusercontent.com/media/www.google.com/en//covid19/exposurenotifications/pdfs/Android-Exposure-Notification-API-documentation-v1.3.2.pdf. Accessed 04 Aug 2020.
[2]
Troncoso C, Payer M, Hubaux J-P, Salathé M, Larus J, Bugnion E, Lueks W, Stadler T, Pyrgelis A, Antonioli D, et al. Decentralized privacy-preserving proximity tracing. 2020. arXiv preprint. arXiv:2005.12273.
[3]
Wan Z, Liu X. ContactChaser: a simple yet effective contact tracing scheme with strong privacy. Cryptology ePrint Archive, Report 2020/630. 2020. https://eprint.iacr.org/2020/630.
[4]
Amnesty. Bahrain, Kuwait and Norway contact tracing apps among most dangerous for privacy. 2020. https://www.amnesty.org/en/latest/news/2020/06/bahrain-kuwait-norway-contact-tracing-apps-danger-for-privacy/. Accessed 04 Aug 2020.
[5]
Anomali. Anomali threat research identifies fake COVID-19 contact tracing apps used to download malware that monitors devices, steals personal data. 2020. https://www.anomali.com/blog. Accessed 10 Sept 2020.
[6]
ESET. New ransomware posing as COVID-19 tracing app targets Canada. 2020. https://www.welivesecurity.com/2020/06/24/. Accessed 10 Sept 2020.
[7]
Bortolozzo M, Centenaro M, Focardi R, Steel G. Attacking and fixing PKCS#11 security tokens; 2010. p. 260–9.
[9]
Leith DJ and Farrell S Coronavirus contact tracing: evaluating the potential of using bluetooth received signal strength for proximity detection Comput Commun Rev 2020 50 4 66-74
[10]
PePP-PT. Pan-European privacy-preserving proximity tracing. 2020. https://www.pepp-pt.org/. Accessed 04 Aug 2020.
[11]
Sadowski C, Aftandilian E, Eagle A, Miller-Cushon L, and Jaspan C Lessons from building static analysis tools at Google Commun ACM 2018 61 4 58-66
[12]
Ayewah N, Pugh W, Hovemeyer D, Morgenthaler JD, and Penix J Using static analysis to find bugs IEEE Softw 2008 25 5 22-29
[13]
Kleinman Z. NHS Covid-19: app issue fixed for people who test positive. 2020. https://www.bbc.com/news/technology-54307526. Accessed 06 June 2022.
[14]
Abraham A, Schlecht D, Dobrushin M, Nadal V. Mobile security framework (MobSF). 2016. https://github.com/MobSF. Accessed 5 Sept 2022.
[15]
LinkedIn. Quick Android review kit (QARK). 2015. https://github.com/linkedin/qark. Accessed 5 Sept 2022.
[16]
Desnos A, et al. Androguard. 2015. https://github.com/androguard/androguard. Accessed 5 Sept 2022.
[17]
Vidas T, Christin N, Cranor L. Curbing android permission creep. In: Proceedings of the Web, vol. 2; 2011. p. 91–6.
[18]
Cho, H, Ippolito, D, Yu, Y. Contact tracing mobile apps for COVID-19: Privacy considerations and related trade-offs. arXiv preprint. 2020. arXiv:2003.11511.
[19]
Gvili, Y. Security analysis of the COVID-19 contact tracing specifications by Apple Inc. and Google Inc. Cryptology ePrint Archive. 2020.
[20]
Magklaras G and Bojorquez LNL Clarke N and Furnell S A review of information security aspects of the emerging COVID-19 contact tracing mobile phone applications Human aspects of information security and assurance 2020 Cham Springer
[21]
Samhi J, Allix K, Bissyandé TF, and Klein J A first look at android applications in Google Play related to Covid-19 Empir Softw Eng 2020 26 4 1-49
[22]
Hatamian M, Wairimu S, Momen N, and Fritsch L A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps Empir Softw Eng 2021 26 3 1-51
[23]
Kouliaridis V, Kambourakis G, Chatzoglou E, Geneiatakis D, Wang H. Dissecting contact tracing apps in the Android platform. PloS One. 2021;16(3).
[24]
Sun R, Wang W, Xue M, Tyson G, Camtepe S, Ranasinghe DC. An empirical assessment of global COVID-19 contact tracing applications. In: 2021 IEEE/ACM 43rd international conference on software engineering (ICSE). IEEE; 2021. p. 1085–97.
[25]
Li L, Bissyandé TF, Papadakis M, Rasthofer S, Bartel A, Octeau D, Klein J, and Traon L Static analysis of Android apps: a systematic literature review Inf Softw Technol 2017 88 67-95
[26]
Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, and McDaniel P Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps ACM SIGPLAN Not 2014 49 6 259-269
[27]
Wu D-J, Mao C-H, Wei T-E, Lee H-M, Wu K-P. Droidmat: Android malware detection through manifest and API calls tracing. In: 2012 Seventh Asia joint conference on information security. IEEE; 2012. p. 62–9.
[28]
Zheng M, Sun M, Lui JC. DroidTrace: a ptrace based Android dynamic analysis system with forward execution capability. In: 2014 International wireless communications and mobile computing conference (IWCMC). IEEE; 2014. p. 128–33.
[29]
Civil Liberties Union for Europe. COVID-19 contact tracing apps in the EU. 2021. https://www.liberties.eu/en/stories/trackerhub1-mainpage/43437. Accessed 20 Sept 2021.
[30]
Menges D, Aschmann HE, Moser A, Althaus CL, von Wyl V. The role of the SwissCovid digital contact tracing app during the pandemic response: results for the Canton of Zurich. medRxiv preprint; 2021.
[31]
Plummer R. ‘Pingdemic’ dents UK economic growth in July. 2021. https://www.bbc.co.uk/news/business-58502593. Accessed 06 June 2022.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image SN Computer Science
SN Computer Science  Volume 3, Issue 6
Sep 2022
1318 pages

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 28 September 2022
Accepted: 01 August 2022
Received: 01 October 2021

Author Tags

  1. Static analysis
  2. COVID-19
  3. Contact tracing
  4. Android
  5. MonSTER

Qualifiers

  • Research-article

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 0
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 09 Nov 2024

Other Metrics

Citations

View Options

View options

Get Access

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media