Checking Contact Tracing App Implementations with Bespoke Static Analysis

In the wake of the COVID-19 pandemic, contact tracing apps have been developed based on digital contact tracing frameworks. These allow developers to build privacy-conscious apps that detect whether an infected individual is in close proximity with others. Given the urgency of the problem, these app...

Descripción completa

Detalles Bibliográficos
Autores principales: Flood, Robert, Chan, Sheung Chi, Chen, Wei, Aspinall, David
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Springer Nature Singapore 2022
Materias:
Original Research
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9517973/
https://www.ncbi.nlm.nih.gov/pubmed/36193263
http://dx.doi.org/10.1007/s42979-022-01357-w
Descripción
Sumario:In the wake of the COVID-19 pandemic, contact tracing apps have been developed based on digital contact tracing frameworks. These allow developers to build privacy-conscious apps that detect whether an infected individual is in close proximity with others. Given the urgency of the problem, these apps have been developed at an accelerated rate with a brief testing period. Such quick development may have led to mistakes in the apps’ implementations, resulting in problems with their functionality, privacy and security. To mitigate these concerns, we develop and apply a methodology for evaluating the functionality, privacy and security of Android apps using the Google/Apple Exposure Notification API. This is a three-pronged approach consisting of a manual analysis, general static analysis and a bespoke static analysis, using a tool we have developed, dubbed MonSTER. As a result, we have found that, although most apps met the basic standards outlined by Google/Apple, there are issues with the functionality of some of these apps that could impact user safety.

Ejemplares similares