Preinstalled Android apps can access a device’s system log containing sensitive private contact tracing data, which infringes on a user’s privacy, researchers have revealed.
An important thing to note here is that the flaw is how this framework has been implemented and not an inherent design flaw. Besides, no such issues have been found with the iOS version of the app.
According to researchers at AppCensus, the contact-tracing framework has a privacy flaw that’s so simple you’d think Google would never make such a blunder in the first place. Besides, even when informed of the flaw by a privacy analysis firm AppCensus, Google failed to take any prompt action.
As Google and Apple announced their COVID-19 contact tracing framework back in April 2020, the companies made sure to reassure people that their data would be completely safe. The data generated through these apps, mostly dealing with people’s movements, who they might come in contact with and whether they were COVID positive, was promised to be anonymised and not shared with anyone except concerned health agencies.
Based on these reassurances, millions have since then downloaded these apps based on these so-called ‘secure’ frameworks. However, that doesn’t seem to be the case as far as the privacy of Android user’s is concerned.
What’s the security flaw?
The system works by recording a person’s smartphone information about proximate encounters with other nearby phones. The data gathered is then used to conclude that the two users must be next to each other. If either of the users is infected or an encounter involves meeting a contagious person, the app can perform risk calculation to assess the user’s risk of infection.
The two smartphones use Bluetooth signals that look random and are called Rolling Proximity Identifiers (RPI) to exchange information. These RPIs keep changing every 15 minutes so that the RPI footprint cannot track a particular user. To make the system more secure, these RPIs are created by keys that change every 24 hours.
It’s these RPIs that contains information about whether or not the owner of the phone they originated from is infected or not. The issue is, these RPIs are saved in the system log. While that may not seem like an issue, and since 2012, Android security controls prevent normal apps from accessing this log, there’s a catch.
Google allows hardware manufacturers, network operators and their commercial partners to preload apps on phones with elevated privileges, which means they can access these system logs and a user’s COVID infection data alongwith anything else that the contact tracing app decides to log.
These pre-installed apps are highly prevalent. A stock Samsung Galaxy A11 has 131 privileged apps, 89 of which could access this system log using permission called READ_LOGS. Xiaomi’s Redmi Note 9 has 77 preinstalled app, out of which 54 have the READ_LOGS permission.
The privacy risks
Of course, Android users are at much greater risk, but you’ll be surprised to know there are Apple users at risk too because of this vulnerability.
The problem here is sensitive data is getting logged on the system log where other entities have access to said data.
According to Joel Reardon, co-founder and forensics lead of AppCensus, “This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program and doesn’t change how it works.”
In this case, the logged data can indicate whether or not a person is COVID infected, their device name, MAC address and advertising ID from other apps. Since the aforementioned ‘system’ apps have the permission required to read system logs, they could, in theory, access this data and send it back to their companies servers.
There’s no evidence found yet of this happening; however, nothing prevents companies and developers from doing this.
Reardon has tried his best to make this issue known to Google, even going through their bug bounty program. However, he was told by the Google Security Team that the flaw wasn’t enough to warrant a payout and that the security team would “decide whether they want to make a change or not.”
Reardon had also reached out to Giles Hogben, the director of privacy for Android engineering, on February 19, expressing his concerns about preinstalled apps being able to read the log data.
Hogben wrote back in an email dated February 25th that system logs haven’t been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11. However, Reardon still insists that hundreds of preinstalled apps can still read the system logs in question.