The Australian Government’s COVIDSafe application hit the Google Play and Apple App stores on Sunday night. Are you confused about how the app works and whether it is safe to install?

In this post, we delve into what we know so far, some potential privacy issues, and why we think on balance it’s important that as many people as possible download and install it.

So How Can An App Stop Me From Getting Coronavirus?

It’s all about contact tracing, an important weapon in the fight against a contagious virus like COVID-19: when someone tests positive, the health authorities begin a laborious process of trying to get in touch with everyone they’ve been in close contact with while they were infectious. The sooner those people can take precautions, isolate themselves, and potentially get tested, the fewer people they will pass the virus onto.

That means you might now not catch it because someone you would otherwise have come into contact with is already at home, isolating.

One of the reasons why COVID-19 has spread so widely is that people who catch it are typically contagious before they show symptoms. Some people who catch it may never show symptoms, but still put their friends, colleagues and family at risk by potentially passing it on to them.

The COVIDSafe app helps to improve and speed up the contact tracing process by partially automating it. If you have the app installed, then your phone will have a record of every other app user you’ve come into contact with over the last 21 days. The contact tracers can use this data to begin alerting those people.

It’s the same process you’d previously have been asked to do entirely manually, except now it will likely be much more accurate. Let’s face it, could you remember everyone you’ve come into contact with over the last few weeks?

So How Does the App Work?

While the government has promised to release the COVIDSafe source code within the next few weeks, here’s what we know so far. Some of this is based on what the government has told us, while other information has come from the Australian tech community, who have begun reverse-engineering the Android and iPhone apps and trawling through the code.

The first thing to note is what the app does not do.

It doesn’t track your location. It uses Bluetooth to communicate with nearby devices, but doesn’t capture the location where that communication took place. While the Android app does ask for location permissions, this is due to a quirk in the Android OS Bluetooth permissions, which don’t offer a way to ask for access to the Bluetooth Low Energy API the app needs without also asking for location; those who have reviewed the decompiled source code have confirmed that the location APIs are not used, at least not in the current version of the app. The iPhone app only asks for Bluetooth access.

So what information does it collect? When you register, you have to provide a name, age range, postcode and phone number, all of which get sent to the central government server, hosted in AWS in the Sydney datacentre. But only the phone number is verified, so there's no obligation to provide your real name, age or location.

The information about which phones have been in contact with each other is not sent to the central government server unless one of the parties tests positive for COVID-19. When two phones exchange details they share their own unique pseudonymous IDs over Bluetooth, but these are initially only stored on those individual phones, with a rolling 21 day deletion period removing the oldest data once it is no longer useful for contact tracing. The unique ID that your app broadcasts is also regularly changed to reduce the risk of a malicious third party trying to track your movements.

If you test positive, you’ll be asked to use the option in the app to upload your local data to the central server. The authorities can match those stored IDs with the phone numbers provided during registration and start notifying individuals who have come into contact with you.

So What Are The Potential Risks?

While the COVIDSafe app doesn’t share your location, security researchers have identified some potential risks with the app’s architecture.

One of those is the way those unique IDs that are shared between phones are generated and renewed. Since your phone with the app installed will be broadcasting this ID, it needs to be regularly refreshed to mitigate the risk of your phone being tracked by other (potentially malicious) actors. The IDs are generated on the central server, and downloaded by the app every 2 hours, but if the COVIDSafe app isn’t open or cannot connect to the internet it will keep using the same ID for potentially a much longer period, increasing the risk that a user of the app could be tracked by a third party, although it should be noted that this type of tracking will be made illegal under new legislation.

Another potential issue with the app architecture, is that it currently broadcasts the make and model of your phone in plain text along with the ID. The technical reason for this is so that the system can estimate the distance between phones that exchange details (important for contact tracing purposes given that COVID-19 cannot travel more than a short distance through the air). Different phone models transmit Bluetooth signals at different power levels. Rather than attempt to calculate this on the client (phone) side, the developers opted to capture the phone model details so that the calculation can be done server-side. In many ways this is a sensible decision, as it allows the calculation to be modified later as more data about the Bluetooth signal strength of different phone models becomes available, but it does present an additional privacy risk by exposing an additional piece of information about users.

As the security researchers note:

Although it may seem innocuous, the exact phone model of a person’s contacts could be extremely revealing information. Suppose for example that a person wishes to understand whether another person whose phone they have access to has visited some particular mutual acquaintance. The controlling person could read the (plaintext) logs of COVIDSafe and detect whether the phone models matched their hypothesis. This becomes even easier if there are multiple people at the same meeting. This sort of group re-identification could be possible in any situation in which one person had control over another's phone. Although not very useful for suggesting a particular identity, it would be very valuable in confirming or refuting a theory of having met with a particular person.

Chris Culnane, Eleanor McMurtry, Robert Merkel, Vanessa Teague

Is There Anything Else I Need To Know?

In the initial release of COVIDSafe there were issues with the iPhone app when running in the background. Thanks to the work of members of the Australian tech community, who devoted their own time to investigating these issues and alerting the DTA, many of these issues have now been resolved and the app should now work much more effectively when backgrounded. If you’ve already installed COVIDSafe, then you should make sure you get the latest update from your phone’s app store.

In addition, Google and Apple have both been working to introduce contact tracing capability into their core OS offering, so further improvements may be possible when that becomes available, potentially in a matter of weeks, but of course that will require users to download OS and app updates.

So Should You Install COVIDSafe?

The bottom line is that for the app to be effective it needs a critical mass of users, with the government indicating that 40% of the Australian public is the magic threshold.

While everyone should make their own decisions about whether to install, the information collected by the app is relatively benign. For the vast majority of people, any potential risk associated with the app is hugely outweighed by the common good of helping to keep COVID-19 under control, and potentially meaning we can all get back to something close to normal life as soon as possible.

As privacy advocate Simon Harman writes:

Yes, there is potential that the central servers could be hacked (but your phone number has probably been leaked in dozens of places already, and your health records are online now too, so not much additional risk). Yes, there is potential for ‘surveillance beacons’ to be set up by the health system so they can work out who stood next to a fixed position for more than 15 minutes — but this is ridiculous, if the governments want to know where you are, they can just ask your phone company. Realistically, you’re taking a risk every time you download an app. Just owning a phone is a privacy risk. In the age of Google Maps, Siri, Facebook Pixel, Fitbit, and metadata retention, I really don’t think COVIDSafe even deserves a mention in the 2020 Top 500 list of apps and services that seriously expose users to privacy risks. Most of us are running much bigger threats in the background 24/7 without even thinking about it.

Simon Harman, Loki Foundation

You can download the app from the Google Play and Apple App stores.

Get The Latest Stats

Explore our COVID-19 dashboard in MotionBoard here.

Matt Armstrong

View posts by Matt Armstrong
With almost two decades' experience in the technology industry, Matt is WingArc Australia's manager of marketing and communications.
Scroll to top