Google will fix an issue that allowed other apps access to COVID-19 contact tracing logs

Ben Schoon | Apr 27 2021 - 10:55 am PT

While it didn’t scale in the way it really needed to, contact tracing was a big deal as tech was utilized in an effort to curb the spread of COVID-19. An issue on the Android side of the Google/Apple COVID-19 contact-tracing API, though, may have allowed other apps access to the logs stored on your device.

Privacy was, understandably, a big priority for the contact tracing APIs that Google and Apple co-developed in 2020 and were widely used in apps from healthcare authorities later in the year. To accomplish that, all of the data was anonymized and stored only on your device, and only accessed when comparing with positive reports of the virus.

A report from privacy analysis firm AppCensus (via the Verge) revealed an ongoing issue with Android’s implementation of the COVID contact tracing API, though. Since at least February of this year, some apps that didn’t need access to contact tracing logs were able to access them. As scary as that sounds, there are two reasons not to panic. First, there’s no evidence of this data being accessed by apps other than those that use the COVID APIs. Second, the only apps that can access the data in the first place are apps pre-installed on the device which, generally speaking, would be considered safe against attacks like these. Still, it’s a loophole that needs to be fixed.

Google has committed to rolling out a fix for this issue, saying that work is “ongoing.” A representative said:

We were notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this.

Speaking to the Markup, AppCensus cofounder Joel Reardon said that fixing this issue is as simple as removing a “few non-essential lines of code,” and that he was “flabbergasted that it wasn’t seen as” such an “obvious fix” by Google.