The Linux Foundation’s Public Health (LFPH) initiative has sponsored audits of two COVID-19 exposure notification apps, COVID Shield and COVID Green. As part of their stewardship of these projects, the Linux Foundation decided that it would be prudent to perform due diligence by reviewing the design and code of the apps. These audits seek to get a security and privacy review of both projects in order to find and close potential issues with the applications’ design or code. LFPH consulted with OSTIF to locate the appropriate expertise for the review.
Both applications had threat models developed to identify potential weaknesses in the design and to identify how an attacker may try to tamper with the privacy or integrity of the software, and both applications had their client source-code reviewed. Server-side software was out of scope for this review, as the projects are making significant revisions to server-side code in the near future.
Because of these two reviews, both applications have had improvements implemented to correct potential issues. This review provides assurances that the applications are generally safe and private.
As with all OSTIF security research, the full report from Symbolic Software is available in its original (PDF) format at the bottom of this page.
What are COVID Shield and COVID Green?
COVID Green – This application, mostly developed by volunteer engineers from NearForm, was donated to the Linux Foundation by the government of Ireland. It is an application framework and already has millions of active users in Ireland under the app name Covid Tracker. Apps based on this framework have also been launched in multiple US states including New York, Delaware, Pennsylvania, and New Jersey.
Audit One – COVID Shield / COVID Alert
Issues found for COVID Shield / COVID Alert by the audit team are below, sorted by severity. The full description of issues, as well as the threat modeling for COVID Shield / COVID Alert can be found in the full report at the bottom of this page.
CVG-01-003 COVID Shield – Misleading Security Guarantees – WILL NOT FIX – EXPLAINED BELOW
Many functionalities in the COVID Alert application (and virtually all contact-tracing applications) require the client device to make some form of API request, frequently over HTTPS. Such requests immediately reveal to the COVID Alert service the user’s IP address, thereby allowing for immediate identification of the user’s location and subsequent potential identification of their name and home address via contact with the Internet Service Provider (ISP). Users are presented with screens upon installing and using COVID Alert that tell the user that the app “has no way of knowing your location, name, or address.” This requires the servers to be configured to throw away IP addresses upon receipt, and there’s no way for a client to verify that this being done.
The COVID Shield / Alert team responded to this issue by stating that IP addresses are discarded by COVID Shield server-side in the Canadian version of the app. This does not guarantee that this is being done in other places that the framework is used. The primary concern with this capability is that in other nations there can be serious privacy issues with knowing the COVID history of a user and having their IP address. A pertinent example would be if pre-existing conditions protection were rolled back in the United States and then states pulled data from COVID Alert servers to drop millions of people from insurance.
To be abundantly clear, this is a problem with the GAEN framework in general and not specific to COVID Shield or COVID Alert. The issue is that the app claims that there is “no way of knowing” some identifying information that can definitely be discerned from the users IP addresses if the party that is running the servers wanted to get it.
CVG-01-004 COVID Shield – Diagnosis Key Timestamps Set by Client – NO FIX REQUIRED – SERVER DISCARDS DATA
It was found that Diagnosis Key reporting logic on the COVID Alert client allowed the client to set the timestamp for the Diagnosis Key reporting event. This could allow clients to maliciously provide incorrect timestamps for exposure key reporting events.
CVG-01-007 COVID Shield – Tests Fail to Generate Random Keys – FIXED
It was found that the unit tests for the COVID Alert application failed to generate random keys, thereby forcing tests to always default to null keys, which could lead to reduced test coverage for a critical component of the application’s functionality.
Audit Two – COVID Green / COVID Tracker
CVG-01-001 COVID Green: Denial of Service through Diagnosis Key Flooding – FIXED
A COVID Green server could potentially be made to flood users with diagnosis keys, leading to a denial of service for app users.
It was confirmed with the COVID Green dev team that server-side checks now limit the number of diagnosis keys that can be sent to the client, and additional logic was added to eliminate duplicate entries, verify the key structure, and verify the dates of keys, and additionally uploads now require a one-time code.
CVG-01-002 COVID Green: Potential Diagnosis Keys Reuse – FIXED
Diagnosis keys were being handled in a way that could lead to false exposure notifications because the checks did not handle key checking cleanly.
The fixes from CVG-01-001 also resolved this issue.
CVG-01-005 COVID Green: SMS Provider Obtains Diagnosed Phone Numbers – WILL NOT FIX – EXPLAINED BELOW
COVID Green users receive positive diagnoses through text messaging. The design of COVID Green allows developers to choose from a number of SMS testing service providers. In the case of COVID Tracker in Ireland, this service is Twilio. This means that all users in Ireland who receive a positive diagnosis share their diagnosis directly with Twilio. Further, using SMS means that there’s no full end-to-end encryption protecting the information in the text messages, which potentially leaves the diagnosis transmissions open to parties in between the user and the Twilio server. Additionally, the Twilio service itself can read the text message information in plain text. This means that, for example, cellular providers could garner the COVID status of all of their users in Ireland who have used COVID Tracker.
This is especially problematic because it is intended to be used as a framework for many nations to implement, meaning the application’s design should be robust enough to withstand many jurisdictions and privacy laws. It is recommended by the audit team, and by OSTIF, that a more private design be developed that employs encryption and/or local services only. This would help developers who want to use the framework comply with privacy laws around the world. If such a change cannot or will not be implemented, it is recommended by the OSTIF team that negative test results also be given through the SMS provider, to improve the privacy properties of the SMS diagnosis system by ensuring that the SMS provider cannot know if the results are positive or negative.
The COVID Green team has responded that Twilio is one of many SMS providers that can be selected, and that environments employing COVID Green are free to set up their own provider. Further, the use of Twilio for COVID Tracker received special approval from the Irish health authority and the Irish Data Protection Commissioner.
CVG-01-006 COVID Green: Statistical Data Figures Overly Precise – OUT OF SCOPE ISSUE
The COVID Green app provides statistics broken down by region in Ireland. These statistics are precise enough that they could assist in deanonymizing users that live in rural areas. It is recommended to display less specific ranges rather than precise statistics that could lead to identifying users.
The COVID Green team has responded that these statistics come directly from the Irish department of health and they have no control over statistical reporting in COVID Tracker.
Both applications implemented front ends for the GAEN framework that did not significantly compromise its security goals. However, issue CVG-01-005 shows us that design decisions when building a new application can weaken the overall privacy goals of the original design, and issue CVG-01-003 shows us that security guarantees can be misleading to the user in the full context of how a framework may be ultimately implemented by other parties.
Because of this audit, multiple issues were resolved proactively by both teams, and the major findings of this audit shows that both frameworks are generally safe to use.
Special thanks are in order to David A. Wheeler at the Linux Foundation, Linux Foundation Public Health, Dr. Nadim Kobeissi and Sasha Lapiha at Symbolic, Colm Harte and James Snell at Nearform, and John O’Brien at the Canadian Digital Service for helping this project to succeed.
Full Audit Document for COVID Shield and COVID Green (COVID Alert and COVID Tracker)