Coronavirus symptom apps are already showing their security problems

A major flaw in a widely-used app raises questions about how much to share

From Singapore to the UK, and all places in between, we’re being encouraged to download and install contact tracing apps to help track the spread of the novel coronavirus, which causes covid-19, responsible for hundreds of thousands of deaths worldwide. The apps, which often use Bluetooth low energy connections to monitor how we interact with each other, are designed to help us out of the lockdown that has kept us all indoors across the globe.

But there are issues with handing over so much personal data to apps that have been developed so quickly, as researchers are rapidly finding out.

Telling everything you know

Data privacy experts have warned repeatedly about the issues around such contact tracing apps, and the risks involved in using them. While it’s important to monitor how coronavirus is spreading within a community, it’s also important to maintain personal privacy, not least when you’re disclosing elements of your health.

For that reason, advocates of data protection have proposed decentralised apps that are easier to store data on, and don’t run the risk of someone managing to access vast amounts of information about people. They’re also advising users to be careful about what kind of information they provide, steering away from giving names, birth dates or anything else that could be used to directly identify them.

It’s a fine line to tread for the average user between staying safe from the medical issue that is ensnaring the world, and not getting caught up in the risky business of having your personal information hacked at a later date.

More haste, less speed

Many of these apps have been designed, developed and rolled out quickly, often without rigorous user testing. The UK’s own coronavirus symptom checking app is believed to need to pass an Android phone at some point for the Apple version of the app to actually work – an indication of just how bad it can be.

Singapore’s own app suffered from a low uptake in part because it required the app to be open and the screen switched on at all times to work – difficult when you’re holding your phone in your pocket. But the biggest fear is a data breach – and we’ve just learned that what was a hypothetical issue is now a reality.

Jio’s symptom checker springs a leak

Indian mobile phone network Jio, which has rolled out superfast mobile connections across the country, released its own symptom checking app in India in late March as a way of helping monitor symptoms just before the Indian government shut down the entire country.

Users could answer questions and report symptoms to the app, which would then collate the data to monitor the spread and scale of the severity of coronavirus. But a security researcher has identified that for a time, Jio transmitted that data to a database available on the internet and accessible without a password.

The database had millions of logs dating back to mid-April, including ages, gender and details of people who took the app-based test. It’s a privacy nightmare, and one that Jio said they took immediate action to fix when they were informed of the vulnerability.

But it highlights the issue with trying to develop things like this at such a speed, and particularly when you’re dealing with the personal data of those participants. This isn’t just your age and your thoughts – this is private healthcare data that could be used against you by hackers.

The data wasn’t just limited to India, either. Some people outside the country had downloaded the data, including in North America and the UK and entered their details, leaving them potentially exposed to hackers. So when you’re asked to install a symptom checking app, think twice about what you share with it.