{"id":237646,"date":"2021-04-28T20:33:27","date_gmt":"2021-04-28T17:33:27","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/an-android-bug-let-some-apps-improperly-access-covid-19-tracing-data-review-geek\/"},"modified":"2021-04-28T20:33:27","modified_gmt":"2021-04-28T17:33:27","slug":"an-android-bug-let-some-apps-improperly-access-covid-19-tracing-data-review-geek","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/an-android-bug-let-some-apps-improperly-access-covid-19-tracing-data-review-geek\/","title":{"rendered":"#An Android Bug Let Some Apps Improperly Access COVID-19 Tracing Data \u2013 Review Geek"},"content":{"rendered":"

“#An Android Bug Let Some App<\/a>s Improperly Access COVID-19 Tracing Data \u2013 Review Geek”<\/strong><\/p>\n

\n
\"Google
quietbits\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n

A <\/span>privacy flaw<\/span><\/a> in the Android version of Apple and Google\u2019s COVID-19 exposure notification app potentially allowed other preinstalled apps to see sensitive data, including if users had contact with a COVID-positive person. Google is now working on rolling out a fix.<\/span><\/p>\n

Privacy analysis firm <\/span>AppCensus<\/span><\/a> first noticed the bug in February and reported it to Google. However, according to <\/span>The Markup<\/span><\/i><\/a>, Google failed to address it at the time. The bug goes against multiple promises made by Apple CEO Tim Cook, Google CEO Sundar Pichai, and several public health officials that the data collected from the exposure app would not be shared beyond an individual\u2019s device.<\/span><\/p>\n

\u201cThe fix is a one-line thing where you remove a line that logs sensitive information to the system log. it doesn\u2019t impact the program, it doesn\u2019t change how it works,\u201d said Joel Reardon, co-founder and forensics lead of AppCensus in the same interview with <\/span>The Markup<\/span><\/i>. \u201cIt\u2019s such an obvious fix, and I was flabbergasted that it wasn\u2019t seen as that.\u201d<\/span><\/p>\n

The article also shared a quote from Google spokesperson Jos\u00e9 Casta\u00f1eda, who stated \u201cWe were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immedia<\/a>tely started rolling out a fix to address this.\u201d<\/span><\/p>\n

\"Hands
Daria Nipot\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n

In order for the exposure notification system to work, it needs to ping anonymized Bluetooth signals of devices with the system activated. Then, in the event one of the users tests positive for COVID-19, it works with health authorities to send an alert to other users who came into contact with that person with corresponding signals that are logged in the phone\u2019s memory.<\/span><\/p>\n

The issue is that, on Android phones, contract-tracing data is logged in privileged system memory. While most of the apps and software running on these devices don\u2019t have access to this, apps that are preinstalled by manufactures like Google or LG or Verizon do have special system privileges that allow them to potentially access these data logs, making them vulnerable.\u00a0<\/span><\/p>\n

AppCensus has found no indications that any preinstalled apps have collected data, however, nor did it find this to be the case with the exposure notification system on iPhones. The company\u2019s Chief Technology<\/a> Officer, Serge Egelmen, emphasized <\/span>on Twitter<\/span><\/a> that the bug is an implementation issue and not the fault of the exposure notification system and that it should damage the public\u2019s trust in public health technologies.\u00a0<\/span><\/p>\n

via <\/span>The Verge<\/span><\/a><\/small>\n<\/div>\n