In some positive news about the Federal Government’s COVIDSafe app, the University of Adelaide’s cybersecurity experts have assessed the Australian contact tracing app to be one of the best and safest among 34 apps used globally to track and trace COVID-19 cases.
A team from the University’s School of Computer Science made the judgment in a study which assessed Android versions of 34 of the world’s COVID-19 contact tracing apps for security and privacy vulnerabilities.
In a statement published by the University, the team stated that the Australian COVIDSafe app is one of the safest. Associate Professor Damith Ranasinghe from the team emphasised that “[E]veryone in Australia should be using the COVIDSafe app, in our opinion. It’s one of the best of its kind anywhere in the world today.” This echoes former calls by privacy legal professionals who signed an open letter in May encouraging Australians to download the app.
However, it’s not all good news for the other 33 tracing apps. The study has found that:
- 70% of the apps pose potential security risks due to employing cryptographic algorithms that are insecure or not part of best practice, and store sensitive information in clear text that could potentially be read by attackers;
- over 60% of the apps pose vulnerabilities through “manifest weaknesses”, such as allowing permissions for backup, which may allow unencrypted data to be copied; and
- about 75% of the apps also contain at least one tracker or cookie.
As noted in the study, there is no solution that can protect users’ privacy against all malicious attacks. However, this study serves as a reminder that cybersecurity and privacy still have to be thoroughly considered, even in such alarming circumstances as the COVID-19 pandemic. Our Australian experience has shown that individuals can be happy to give up some privacy freedoms for a well-balanced app, as indicated by the current approximately 6.5 million Australian downloads of the COVIDSafe app. Maybe we should be turning a profit and selling this app to other countries – we hear from our UK colleagues that they haven’t been able to deploy an app yet.