Analysis of SwissCovid

We present an analysis of the SwissCovid application which is currently being tested. We observe that the essential part of SwissCovid is under the control of Apple and Google. Outsourcing the heart of SwissCovid to Apple and Google has apparent benefits in terms of security but drawbacks in terms of transparency, flexibility, and sovereignty. We observe that SwissCovid is far from being open source. The Source code is kept by Microsoft. The protocol is implemented and controlled by Apple and Google. The server is hosted by Amazon. The current information suffers from unclear or incorrect statements. We confirm some of the threats which had been identified before. Users may be traced or identified by third parties while tracing is on. Diagnosed users who report using SwissCovid have a risk to be identified by a third party. Malicious users may create false encounters and inject false at-risk notifications on targeted phones. They could abuse the system to have vacations paid by authorities by self-injecting false alerts. Diagnosed users could be corrupted to sell a covidcode which would ease those attacks. Malicious apps could collect more information or do the job of SwissCovid outside of any control, and on behalf of a third party, even though SwissCovid is deactivated.

[1]  Dermot Frederik Pustelnik,et al.  Mind the GAP: Security & Privacy Risks of Contact Tracing Apps , 2020, 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom).

[2]  Carmela Troncoso,et al.  Decentralized Privacy-Preserving Proximity Tracing , 2020, IEEE Data Eng. Bull..

[3]  Serge Vaudenay,et al.  Centralized or Decentralized? The Contact Tracing Dilemma , 2020, IACR Cryptol. ePrint Arch..

[4]  Serge Vaudenay,et al.  Analysis of DP3T , 2020, IACR Cryptol. ePrint Arch..