COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 1
June 15, 2020

Pieter Danhieux
Secure Code Warrior

At this point, I'm sure we're all getting a little tired of the phrase, "in these unprecedented times" ... but, these really are unprecedented times. Who'd have thought at the end of last year, that we would be racing to defeat a globally destructive pandemic this year, and throwing everything we possibly could at it? It would have seemed almost laughable, and more along the lines of a new Netflix sci-fi series than part of our worldwide reality. COVID-19 has completely transformed our social lives, economy, and job security, not to mention political priorities.

One of the counter-attacks against COVID-19 has been through technology, with many countries rolling out contact tracing apps. Australia has COVIDSafe, modeled from Singapore's TraceTogether. Hong Kong, Taiwan, China, South Korea, Israel and Germany all have contact-tracing technology implemented, or on the way. The UK has been the hardest-hit region in Europe, with tens of thousands of virus-related deaths and a high infection rate. The release of their app is imminent. The USA — also deeply affected with many people tragically losing their lives — also has technology rolling out, but their state-by-state approach to contact tracing makes their situation quite complex.


With the exception of more state-controlled countries like China and Taiwan, the use of these apps is voluntary, requiring citizens to download and use the technology of their own accord. Some adoption rates are more successful than others; for example, Singapore's TraceTogether app had an adoption rate of 25%, rendering it quite ineffective for its desired purpose.

The idea behind contact tracing apps is sound. This technology, when functioning well, would ensure hotspots are quickly revealed and comprehensive testing can occur — both essential components of fighting the spread of a contagious virus. However, the words "government" and "tracing" don't exactly sound very inviting, and it's natural that people are cautious about what downloading something like this would actually mean for them.

So, what are the chief concerns of users? If online commentary is anything to go by, some of these misgivings include:

■ Lack of trust in the government to use collected data responsibly

■ Apprehension over how well personal data will be protected from cyberattacks

■ Lack of clarity in what data is actually being collected, where it is stored, and with whom

■ … and for the developers/geeks among us, how solidly the apps are actually built

It is always a bit of a worry when apps are built quickly, and these contact tracing apps are having to be rolled out in record time. It's a nightmare for developers, security people, and government agencies.

So, is mistrust a valid reaction? And what should we consider as a priority in our assessment of COVID-19 contact tracing apps and end-user safety? As a security guy, my instinct is, of course, to drill down into the cybersecurity elements of the program, namely how secure the codebase is for an app we're all (out of the best of intentions) being pushed to install.

Many of the Apps Are Copies of Each Other — and Inherit the Same Problems

Australia's COVIDSafe app is essentially based on OpenTrace(link is external), as is Singapore's TraceTogether software. The problem, however, is that TraceTogether had a range of reported issues and a poor uptake, with just 25% of the population opting in as users — far short of the 75% required for it to be effective(link is external). There have been complaints regarding its general performance, especially on iOS, including batteries being drained very quickly. COVIDSafe has a potential UX flaw in its iOS version(link is external), requiring the phone to be unlocked and the app running in the foreground to record all data properly.

While the above issues are annoying, the more pressing concern is that Bluetooth vulnerabilities are rife and neither TraceTogether, nor Australia's COVIDSafe, are immune to them. On May 14th, NIST reported that COVIDSafe had a Denial of Service vulnerability(link is external), allowing an attacker to remotely crash the app if they are in Bluetooth handshake distance. This would allow an organized attack to disrupt contact tracing in densely populated areas, where it is most useful — something explained in detail(link is external) by security researcher Richard Nelson. It is known to affect COVIDSafe, TraceTogether, Poland's ProteGO and Canada's ABTraceTogether — all inheriting the issue from OpenTrace's faulty manuData.subdata call.

There are other privacy and security issues relating to Bluetooth functionality in general, as well. The fact that this technology is being used to trace human movement through a unique ID (TempID) and collect meaningful data will inevitably mean a spiked interest in attackers testing for weaknesses, at which point exactly what is being collected, where it is being stored, and for how long, must be scrutinized.

Go to COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 2

Pieter Danhieux is CEO and Co-Founder of Secure Code Warrior
Share this

Industry News

February 13, 2025

LaunchDarkly announced the private preview of Warehouse Native Experimentation, its Snowflake Native App, to offer Data Warehouse Native Experimentation.

February 13, 2025

SingleStore announced the launch of SingleStore Flow, a no-code solution designed to greatly simplify data migration and Change Data Capture (CDC).

February 13, 2025

ActiveState launched its Vulnerability Management as a Service (VMaas) offering to help organizations manage open source and accelerate secure software delivery.

February 12, 2025

Genkit for Node.js is now at version 1.0 and ready for production use.

February 12, 2025

JFrog signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS).

February 12, 2025

mabl launched of two new innovations, mabl Tools for Playwright and mabl GenAI Test Creation, expanding testing capabilities beyond the bounds of traditional QA teams.

February 11, 2025

Check Point® Software Technologies Ltd.(link is external) announced a strategic partnership with leading cloud security provider Wiz to address the growing challenges enterprises face securing hybrid cloud environments.

February 11, 2025

Jitterbit announced its latest AI-infused capabilities within the Harmony platform, advancing AI from low-code development to natural language processing (NLP).

February 11, 2025

Rancher Government Solutions (RGS) and Sequoia Holdings announced a strategic partnership to enhance software supply chain security, classified workload deployments, and Kubernetes management for the Department of Defense (DOD), Intelligence Community (IC), and federal civilian agencies.

February 10, 2025

Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.

February 10, 2025

Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.

February 07, 2025

Are you using OpenTelemetry? Are you planning to use it? Click here to take the OpenTelemetry survey(link is external).

February 06, 2025

GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.

February 06, 2025

Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.

February 06, 2025

Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.