Android’s exposure notification system has ‘implementation’ flaws

A potential flaw in Android’s COVID-19 notification system could allow preinstalled apps to access sensitive information. This may include personal information about the COVID-19 status, advertising IDs, and other device identifiers.

Data protection research company AppCensus (via The edge) posted the problem in a blog post on Tuesday, but first informed Google of the discovery in February.

COVID-19 status tracking apps use the exposure notification system to alert users when they have been around infected people. These data are stored in a privileged state in the system logs of Android phones. This means that popular apps cannot read this information. However, AppCensus notes that many preinstalled apps on Android are given privileged status and may have access to additional permissions. One of these includes the ability to read system logs and possibly exposure notification data as well.

“In a Xiaomi Redmi Note 9 standard, for example, 77 apps are preinstalled, 54 of which have READ_LOGS authorization,” notes AppCensus. “A Samsung Galaxy A11 has 131 privileged apps, 89 of which had READ_LOGS.”

Using this information, along with the proximity identifiers of other users’ devices and personal temporary exposure keys, could theoretically result in a user’s health condition being determined. However, there is no evidence that apps collected this data.

“This is a recoverable problem.”

AppCensus is quick to point out that the exposure notification system as a whole is not a privacy issue, but Google’s implementation on Android. “To be very clear: this is a problem that can be remedied,” emphasizes the research company. It is recommended that Google prohibit unnecessary logging of exposure data on Android devices “as soon as possible”. We also found no issues with Apple’s implementation on iOS.

According to The edgeciting The markupGoogle is working on a fix that is currently “running” but it is unclear when it will be available to the public.