A First Look at Privacy Analysis of COVID-19 Contact Tracing Mobile Applications

Today’s smartphones are equipped with a large number of powerful value-added sensors and features such as a low power Bluetooth sensor, powerful embedded sensors such as the digital compass, accelerometer, GPS sensors, Wi-Fi capabilities, microphone, humidity sensors, health tracking sensors, and a camera, etc. These value-added sensors have revolutionized the lives of the human being in many ways such, as tracking the health of the patients and movement of doctors, tracking employees movement in large manufacturing units, and monitoring the environment, etc. These embedded sensors could also be used for large-scale personal, group, and community sensing applications especially tracing the spread of certain diseases. Governments and regulators are turning to use these features to trace the people thought to have symptoms of certain diseases or virus e.g. COVID-19. The outbreak of COVID-19 in December 2019, has seen a surge of the mobile applications for tracing, tracking and isolating the persons showing COVID-19 symptoms to limit the spread of disease to the larger community. The use of embedded sensors could disclose private information of the users thus potentially bring threat to the privacy and security of users. In this paper, we analyzed a large set of smartphone applications that have been designed to contain the spread of the COVID-19 virus and bring the people back to normal life. Specifically, we have analyzed what type of permission these smartphone apps require, whether these permissions are necessary for the track and trace, how data from the user devices is transported to the analytic center, and analyzing the security measures these apps have deployed to ensure the privacy and security of users.

[1]  Jun Ho Huh,et al.  Analyzing Unnecessary Permissions Requested by Android Apps Based on Users' Opinions , 2014, WISA.

[2]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[3]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[4]  Jianming Fu,et al.  "Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps , 2019, MobiSys.

[5]  Ilaria Liccardi,et al.  Improving User Choice Through Better Mobile Apps Transparency and Permissions Analysis , 2014, J. Priv. Confidentiality.

[6]  Bhaskar Krishnamachari,et al.  CONTAIN: Privacy-oriented Contact Tracing Protocols for Epidemics , 2020, 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[7]  Muhammad Ikram,et al.  A first look at mobile Ad-Blocking apps , 2017, 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA).

[8]  Narseo Vallina-Rodriguez,et al.  An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps , 2016, Internet Measurement Conference.

[9]  Zhiqiang Lin,et al.  Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[10]  Pauline Anthonysamy,et al.  Reducing Permission Requests in Mobile Apps , 2019, Internet Measurement Conference.

[11]  Sarah E. Kreps,et al.  Americans' perceptions of privacy and surveillance in the COVID-19 pandemic. , 2020, PloS one.

[12]  Gautam Shroff,et al.  Privacy Guidelines for Contact Tracing Applications , 2020, ArXiv.

[13]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[14]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[15]  Jun Zhao,et al.  Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps , 2017, CHI.

[16]  K. Kim,et al.  What Is COVID-19? , 2020, Frontiers for Young Minds.

[17]  Yaron Gvili,et al.  Security Analysis of the COVID-19 Contact Tracing Specifications by Apple Inc. and Google Inc , 2020, IACR Cryptol. ePrint Arch..

[18]  Tyler M Yasaka,et al.  Peer-to-Peer Contact Tracing: Development of a Privacy-Preserving Smartphone App , 2020, JMIR public health and surveillance.

[19]  Benjamin Armbruster,et al.  Contact tracing to control infectious disease: when enough is enough , 2007, Health care management science.

[20]  David Kotz,et al.  ENACT: Encounter-based Architecture for Contact Tracing , 2017, WPA@MobiSys.

[21]  Hyunghoon Cho,et al.  Contact Tracing Mobile Apps for COVID-19: Privacy Considerations and Related Trade-offs , 2020, ArXiv.

[22]  Xiaohui Liang,et al.  EPIC: Efficient Privacy-Preserving Contact Tracing for Infection Detection , 2018, 2018 IEEE International Conference on Communications (ICC).

[23]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.

[24]  Ming Li,et al.  Privacy-preserving inference of social relationships from location data: a vision paper , 2015, SIGSPATIAL/GIS.

[25]  Rohitash Chandra,et al.  Mobile Application for Dengue Fever Monitoring and Tracking via GPS: Case Study for Fiji , 2015, ArXiv.

[26]  Jon Crowcroft,et al.  EpiMap: Towards quantifying contact networks for understanding epidemiology in developing countries , 2014, Ad Hoc Networks.

[27]  J. Murphy The General Data Protection Regulation (GDPR) , 2018, Irish medical journal.

[28]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[29]  C. Fraser,et al.  Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing , 2020, medRxiv.

[30]  Serge Vaudenay,et al.  Analysis of DP3T , 2020, IACR Cryptol. ePrint Arch..

[31]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[32]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[33]  Helen A. Weiss,et al.  Use of a mobile application for Ebola contact tracing and monitoring in northern Sierra Leone: a proof-of-concept study , 2019, BMC Infectious Diseases.

[34]  Pern Hui Chia,et al.  Is this app safe?: a large scale study on application permissions and risk signals , 2012, WWW.

[35]  George Danezis,et al.  An Automated Social Graph De-anonymization Technique , 2014, WPES.

[36]  Anne Liu,et al.  Introduction of Mobile Health Tools to Support Ebola Surveillance and Contact Tracing in Guinea , 2015, Global Health: Science and Practice.

[37]  D. Ranasinghe,et al.  Vetting Security and Privacy of Global COVID-19 Contact Tracing Applications , 2020, ArXiv.

[38]  Michael J Parker,et al.  Ethics of instantaneous contact tracing using mobile phone apps in the control of the COVID-19 pandemic , 2020, Journal of Medical Ethics.

[39]  Carmela Troncoso,et al.  Decentralized Privacy-Preserving Proximity Tracing , 2020, IEEE Data Eng. Bull..