COVIDSafe App Explained: GovHack’s overview on Australia’s contact tracing application

COVIDSafe App Explained: GovHack’s overview on Australia’s contact tracing application

Everything you need to know about the COVIDSafe App as a developer and as a user

COVIDSafe‘s Idea Journey: From Singapore to Australia

The Australian government launched the contact tracing app called COVIDSafe on 26th April 2020 shortly after the Morrison Government began eyeing the Singaporean TraceTogether app built for the same purpose. The app is sought to aid the government’s efforts in ‘flattening the curve’ and thereby easing restrictions. With the 6 million downloads recorded as of 1 June 2020 according to ABC News, the government pressed that downloading it wasn’t a mandate but rather a catalyst to recovery. “The more people voluntarily downloaded a smartphone app designed to track the contacts of people infected, the sooner life could return to normal,” said Australian Prime Minister, Scott Morrison.

Prior to its access in the hands of millions of Australians, it was a mere source code within the infant stage of development that the government had retrieved from the Singaporean government as part of open source data.

“We believe that making our code available to the world will enhance trust and collaboration in dealing with a global threat that does not respect boundaries, political systems or economies,”

Singapore Foreign Minister Vivian Balakrishnan declared to InnovationAus.

Succeeding the humble act, the current Australian Prime Minister Scott Morrison sat with Singapore Prime Minister Lee Hsien Loon on a video conference on the 23rd of March during which the tools and approaches used were canvassed for detailed discussion. The open dialogue then inspired robust R&D worth $1.5 million AUD of government expenditure.

The Crux of Design and Development

It was subsequently designed and jointly created by Amazon Web Services (AWS), Boston Consulting Group Digital Ventures (BCG), Shine Solutions Group, and Canberra company Gosource as reported by the Sydney Morning Herald. At the crux of its contact tracing feature is the app’s ability to record “digital handshakes” within a 1.5 meter vicinity of the user for longer than 15 minutes using bluetooth connectivity. Quite similar to TraceTogether minus the GPS tracking functionality, the app which is built by Digital Technology Agency is claimed to be an improvement of the original but experts say there are several discrepancies in its compatibility for Android and Iphone users. Take a look below for an investigation into COVIDSafe’s code, functionalities and flaws.

  • Software used: Built predominantly for smartphones, it uses Kotlin software for Android and Swift for iOS making it compatible for updates as old as iOS 10 and Android 6.0.
  • Uploading data: Upon receiving consent at sign up, personal data is uploaded onto the host’s server. For a cost of up $700,000AUD, the federal government holds all collected data on Amazon Web Services (AWS) system.
  • Data storage and retention: Microsoft Most Valuable Professional and mobile app development expert, Matthew Robbins, shared specifics of data storage and retention.
  • Data transmission: Data is only transmitted when a user tests positive, which will only be made available to state health authorities charged with contact tracing. The transmission process occurs via HTTPS to an AWS instance secured only upon the furnishing of a public/private key pair.
  • Reverse engineering: Preceding a public release of the source code for both Android and iOS, professional developers in the field reverse engineered the application to descend their way to the original code. Anyone is able to decompile the app by following a step-by-step process which frightens users of rewriting of malicious code and republishing on the App Store and Play Stores. However, this issue is circumvented by the highly credible review process of both Google and Apple as well as the safe guarded government website which requires sign-on credentials that are not made public.
  • Discrepancies: An in-depth autopsy of the app for Android and Iphone by open-source engineer, Geoffrey Huntley, sparks heavy debate about the capabilities of COVIDSafe and its future. A prior flaw existing in Iphones which resulted in tracing difficulty while the phone is locked has been resolved. However, other issues related to signing up have lingered on. With the code now publicly released for Apple and Android, developers can help refine the app with a sense of civic duty or out of keen interest so that Australia can soldier through and tackle the novel disease head on.

The act of humanity has been extended by Australia as well, with the public release of the source code (which can be found here) for foreign interest of a similar approach to battle unprecedented circumstances. What’s immediately evident from the case of Singapore and Australia is that open data has bridged the gap between what is a problematic reality and what can be a utopian solution. Open data furthermore puts forward an avenue for hackers and developers to employ their skills in making the app more comprehensive. Geoffrey Huntley is one such app developer who has come forward to collate information from open data sources and has in the process devised a complete dissection of the app along with other developers as contributors.

Privacy and Security

Despite being downloaded by nearly 25% of the population, users still have their doubts regarding many functions of the app and remain anxious about the privacy and security of the application. GovHack answers some of the most perturbing queries below:

  • What data is collected? User’s name, age, phone number, postcode, an encrypted user ID, and whether the user has tested positive for coronavirus. Upon inserting personal information, users need to consent for health authorities to access the contact IDs they have come in close proximity with.
  • Should I be worried that my data is stored by AWS? AWS has the highest data security certification for its Sydney data centre. Nevertheless, the Australian government has legislated under Biosecurity Act 2015 that any leaking of this information offshore will be considered a heinous crime, whether data is transported or stored outside Australia.
  • Who has access to my data? Data once consented for an upload to AWS will be held by the federal government until the user has tested positive, after which data will be released to state health authorities. Health Minister Greg Hunt has directed that this information will exclude all irrelevant parties (Centrelink, Home Affairs, Police Department) from access through a Determination 2020 legislation. William Jeffries, State Director of GovHack Victoria however stresses the need for governing bodies to clearly demarcate what data is open to the public and what data must remain private, “None of the data from COVIDSafe should be public, at all, except maybe the download numbers.”
  • How long is my data stored for? The repository of those who have downloaded the app along with their registration data will be held on the government server until the end of the pandemic. However, as far as the user’s contacts are concerned these are automatically deleted after every 21 days by way of a cleanup technology of the app.
  • Is my data secure? Health Minister, Greg Hunt, reassured users of the app’s data security and privacy. He told the Guardian, “In terms of privacy, no other person can access what is on your phone.” He went on to say “It cannot leave the country. It cannot be accessed by anybody other than a state public health official. It cannot be used for any purpose other than the provision of the data for the purposes of finding people with whom you have been in close contact with and it is punishable by jail if there is a breach of that.”
  • Is it compatible with all smartphones? Apple users as old as an iOS 10 and Android users as old as 6.0 can download the app.
  • Is there a possibility other existing app on our phones sends an update which pulls out data from the COVID safe app while it is running? According to experts in a panel discussion, the data sits in the room API and is sandboxed which means it cannot be pulled out by other running app unless the phone is jail broken. Even if so, jail break will wipe out all existing data on the phone disallowing for any extraction of information.

The Verdict

After tearing down the entire app in a two-hour long panel discussion and several debates on Twitter by professionals, the COVIDSafe app is considered to be “above board and following industry standard” with room for improvement on a tougher safety net and its faulty features. On this accord, William Jeffries, State Director of GovHack Victoria, shared his thoughts,

“There is some really strong legislation around who can access any of the information that a user voluntarily hands over. In fact it is by far the most comprehensive and privacy protective application I have ever come across.”

William Jeffries, State Director of GovHack Victoria

The app can be downloaded from the Apple Store and the Google Play Store.

Looking for an even more extensive breakdown of the application? Tune into the panel discussion below or get involved in resolving some of the issues here.

Professional experts dissect Australia’s contact tracing app