Apple-Google Exposure Notification has a privacy flaw on Android

Posted:
in General Discussion
The Android version of the Apple and Google Exposure Notification system reportedly has a flaw that may have leaked sensitive data to a device's preinstalled apps.

Credit: Apple/Google
Credit: Apple/Google


Back in 2020, the two tech giants unveiled the collaborative project as a way to help mitigate the spread of coronavirus. Although Apple and Google promised that the system would be privacy-respecting, a new report suggests that may not be the case on Android.

According to The Markup, a flaw in the system could let preinstalled apps on an Android device see sensitive information, such as if a user has been in contact with another person who tested positive for COVID-19.

The issue lies in the fact that contract tracing data is stored in privileged system memory on Android devices. While that memory is normally inaccessible to other apps, preinstalled apps from manufacturers can see those logs because of special privileges. There is no indication that any apps have abused the flaw, however.

App privacy analysis firm AppCensus discovered the flaw and reported it to Google in February. As of Tuesday, the issue has yet to be resolved.

Google says that updates to fix the issue are currently "ongoing." However, according to AppCensus, fixing the issue would only require deleting a few "nonessential" code strings.

According to The Markup and researchers at AppCensus, the iPhone version of the exposure notification system does not have any similar vulnerabilities.

Comments

  • Reply 1 of 4
    “Google” and “privacy-respecting” probably don’t belong in the same sentence. Who is surprised by this? Facebook has probably already linked that data to it’s users.
    edited April 27 rob53watto_cobra
  • Reply 2 of 4
    22july201322july2013 Posts: 2,511member

    The issue lies in the fact that contract tracing data is stored in privileged system memory on Android devices. While that memory is normally inaccessible to other apps, preinstalled apps from manufacturers can see those logs because of special privileges. There is no indication that any apps have abused the flaw, however.
    Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me. 
    watto_cobra
  • Reply 3 of 4
    derekmorrderekmorr Posts: 210member
    Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me. 
    It’s no such thing. The issue is the use of the READ_LOGS app permission on Android. That permission let’s apps read system log files. It was intended for use for debugging apps. Back in 2012, Google changed the OS so that third party apps could no longer obtain this permission. This change was intended to protect user privacy by disallowing third party apps from reading potentially sensitive data.
  • Reply 4 of 4
    EsquireCatsEsquireCats Posts: 1,188member
    derekmorr said:
    Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me. 
    It’s no such thing. The issue is the use of the READ_LOGS app permission on Android. That permission let’s apps read system log files. It was intended for use for debugging apps. Back in 2012, Google changed the OS so that third party apps could no longer obtain this permission. This change was intended to protect user privacy by disallowing third party apps from reading potentially sensitive data.
    beggars belief that such a function was ever available outside the test environment
    applguywatto_cobra
Sign In or Register to comment.