An Empirical Assessment of Global COVID-19 Contact Tracing Applications
This addresses security and privacy concerns for public health authorities and users deploying contact tracing apps, though it is incremental as it builds on existing assessment methods.
The paper tackled the security and privacy weaknesses in global COVID-19 contact tracing apps by developing COVIDGUARDIAN, an automated assessment tool that identified issues and led to guidelines for safer deployment.
The rapid spread of COVID-19 has made manual contact tracing difficult. Thus, various public health authorities have experimented with automatic contact tracing using mobile applications (or "apps"). These apps, however, have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool, COVIDGUARDIAN, which combines identification and analysis of Personal Identification Information (PII), static program analysis and data flow analysis, to determine security and privacy weaknesses. Furthermore, in light of our findings, we undertake a user study to investigate concerns regarding contact tracing apps. We hope that COVIDGUARDIAN, and the issues raised through responsible disclosure to vendors, can contribute to the safe deployment of mobile contact tracing. As part of this, we offer concrete guidelines, and highlight gaps between user requirements and app performance.