A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps

As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automati...

Descripción completa

Detalles Bibliográficos
Autores principales: Hatamian, Majid, Wairimu, Samuel, Momen, Nurul, Fritsch, Lothar
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Springer US 2021
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7978168/
https://www.ncbi.nlm.nih.gov/pubmed/33776548
http://dx.doi.org/10.1007/s10664-020-09934-4
_version_ 1783667167536873472
author Hatamian, Majid
Wairimu, Samuel
Momen, Nurul
Fritsch, Lothar
author_facet Hatamian, Majid
Wairimu, Samuel
Momen, Nurul
Fritsch, Lothar
author_sort Hatamian, Majid
collection PubMed
description As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents.
format Online
Article
Text
id pubmed-7978168
institution National Center for Biotechnology Information
language English
publishDate 2021
publisher Springer US
record_format MEDLINE/PubMed
spelling pubmed-79781682021-03-23 A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps Hatamian, Majid Wairimu, Samuel Momen, Nurul Fritsch, Lothar Empir Softw Eng Article As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents. Springer US 2021-03-19 2021 /pmc/articles/PMC7978168/ /pubmed/33776548 http://dx.doi.org/10.1007/s10664-020-09934-4 Text en © The Author(s) 2021 https://creativecommons.org/licenses/by/4.0/Open AccessThis article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) .
spellingShingle Article
Hatamian, Majid
Wairimu, Samuel
Momen, Nurul
Fritsch, Lothar
A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title_full A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title_fullStr A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title_full_unstemmed A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title_short A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
title_sort privacy and security analysis of early-deployed covid-19 contact tracing android apps
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7978168/
https://www.ncbi.nlm.nih.gov/pubmed/33776548
http://dx.doi.org/10.1007/s10664-020-09934-4
work_keys_str_mv AT hatamianmajid aprivacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT wairimusamuel aprivacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT momennurul aprivacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT fritschlothar aprivacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT hatamianmajid privacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT wairimusamuel privacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT momennurul privacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps
AT fritschlothar privacyandsecurityanalysisofearlydeployedcovid19contacttracingandroidapps

Ejemplares similares