Skip to main content

Android devices are leaking contact tracing data all over the place

Contact tracing app
(Image credit: Future)
Audio player loading…

If you have a contact tracing app (opens in new tab) installed on your Android smartphone (opens in new tab), it could be leaking data to other apps according to new research from the privacy and security firm AppCensus (opens in new tab).

Last year Google and Apple teamed up to develop a contact tracing API (opens in new tab) which uses Bluetooth and GPS data to provide a low-cost solution to find out who those infected with Covid-19 came in contact with. Contact tracing has traditionally been done manually but due to the prevalence of smartphones today, tech giants and governments around the world decided to work together to use technology to stop the virus' spread.

While Google and Apple developed their Exposure Notifications System (ENS (opens in new tab)) to power contact tracing apps, hundreds of third-party apps on Android were given access to the sensitive data collected from users' devices. This is because Google decided to store all of the sensitive data collected by ENS in the system logs of Android smartphones.

Although not all apps are able to read system logs on Android, the search giant does allow some hardware manufacturers, telecoms and commercial partners to pre-install “privileged” apps which are able to access system logs.

Leaking contact tracing data

In a new blog post (opens in new tab), co-founder and forensics lead of AppCensus, Joel Reardon points out the fact that Xiaomi's Redmi Note 9 (opens in new tab) allows 54 apps to read system logs while the Samsung Galaxy A11 (opens in new tab) does so with 89 apps. As a result, many apps that don't need to access a device's contact tracing data had it shared with them on Android.

In order for smartphones to be used for contact tracing, apps using Android and Google's API emit anonymous identifiers that change periodically called rolling proximity identifiers (RPIs) that are broadcast over Bluetooth. These RPIs are then used to determine who a person may have come in contact with while they were infected with Covid-19.

According to AppCensus, RPIs that are broadcast and those that are heard by other devices can be found in the system logs of Android devices. Devices that hear another smartphone's RPIs also log the current Bluetooth MAC address of the sending device. While RPIs and Bluetooth Mac addresses are random and anonymized, AppCensus was able to identify several ways that this data can be used to carry out privacy attacks.

After making this discovery, the firm quickly reached out to Google though the search giant did not acknowledge or fix the issue at the time. AppCensus then made its findings public after 60 days had elapsed which is a bit shorter than Project Zero's own 90-day disclosure period (opens in new tab).

In a statement (opens in new tab) to ZDNet, a Google spokesperson explained that the company had already looked into the issue and that an update first began rolling out to Android devices several weeks ago to fix it, saying:

"We were notified of an issue where the Bluetooth identifiers were temporarily accessible to some pre-installed applications for debugging purposes. Immediately upon being made aware of this research, we began the necessary process to review the issue, consider mitigations and ultimately update the code. These Bluetooth identifiers do not reveal a user's location or provide any other identifying information and we have no indication that they were used in any way – nor that any app was even aware of this." 

Via ZDNet (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.