Image: Department of Health
The Australian government has pushed out an update to its COVIDSafe app that removes a number of security and privacy issues.
Prime among them is the denial of service attack possible on iOS devices, as demonstrated by Richard Nelson in a blog post.
When devices running the app encountered a device advertising a malformed Bluetooth manufacturer identifier, the app would repeatedly crash until it was out of range of the attacker and restarted.
“This is a fairly obvious bug that should have been picked up in an automated scan and/or an in-depth security review,” Nelson wrote.
When the source code for the app landed last week, other obvious errors such as an enumeration of states, not including Tasmania, were also found.
Nelson pointed out that the model used by governments around the world to build their respective apps has not lent itself to solving the sorts of problems he identified in an easy way.
“It seems as though (I could be corrected on this) each government received a code drop of OpenTrace at some point in time, and from there on there was little to no communication,” he said.
“There’s no central repository they all build upon, no process for communicating bugs up or downstream, and in fact no security contacts that I could find at all.”
Australia’s Digital Transformation Agency (DTA) was the only body to respond to Nelson, whom he praised.
“As much as was my wish, it seemed impossible to coordinate disclosure between all affected entities. And there could be more affected applications that I just don’t know about,” he said.
Nelson’s response was much better than the one Jim Mussared experienced with the DTA.
Mussared tweeted that the latest update has fixed a pair of tracking issues, and the DTA was working on another batch of issues.
The update notes for COVIDSafe in the Google Play Store state it has improved “Bluetooth security and connectivity” and that the push notifications the app, much to the user’s chargin, are now optional.
See also: Australia’s COVIDSafe contact tracing story is full of holes and we should worry
Yesterday, the legislation around the app cleared Parliament, with Defence Minister Marise Payne stating that the number of downloads of the app would not be considered when lifting any restrictions related to the coronavirus pandemic.
“The approach to easing of restrictions, as you will have seen through the national cabinet process, is based on the health advice that’s received,” Senator Payne said.
“And the states and territories — your state, my state; quite different in their approaches — are using that as the premise, not based on the number of people who have downloaded the app.”
The admission is a contradiction of the sort of pronouncements Prime Minister Scott Morrison had made at the start of month, who said downloads of the app would be tied to the ability for Australians to go back to pubs.
“The first step to getting back to that is downloading COVIDSafe,” Morrison said in direct response to being asked when Australians could go back to the pub on May 1.
“Now, if that isn’t an incentive for Australians to download COVIDSafe on a Friday, I don’t know what is … I encourage them if they’re talking to each other on Zoom, or they’re having a cold one later on today in that environment, if they’re looking forward to doing it in a pub, well, that is a prerequisite to even getting to that conversation.”
In spite of COVIDSafe downloads not being tied to decisions related to lifting restrictions, Payne continued to encourage Australians to download the app on Wednesday.
“The endeavour to put in place an app of this nature and to encourage Australians to take up using the app, to download it, is an important part of the pathway out of the most onerous aspects of the COVID-19 restrictions that have been put in place,” she said.
“We know … that the contact tracing process is extraordinarily intensive for health authorities. Any mechanism which assists with that process is invaluable in delivering the outcomes we need, to make sure that if there is an issue, if there is an outbreak, all of the contingencies that we need to be planning for, across states and territories and through the national cabinet and the Commonwealth government — if there is a need to do that major contact tracing, we have a better facilitated process for that.”
The Defence Minister added that the lifting of restrictions was a complex process that has been addressed in a “very deliberate” way.
“The app will provide that, but the number of downloads is not conditional, in terms of the lifting of restrictions,” Payne said.
“I think what the Prime Minister and other ministers have been very clear about is how important that is to the progress and process of moving out of the most extreme of the restrictions that we have had to deal with.”
Last week the Department of Health revealed it had no target for downloads of the app.