Coronavirus tracing apps could be used by hackers to access your personal data, report says

Cybercriminals could trace your device or access sensitive personal data through contact-tracing apps built for the coronavirus pandemic, a new report says.

In a report released Thursday, cybersecurity firm Check Point noted that U.S. developers are working on contact tracing apps that measure Bluetooth signal strength to detect the distance between device users. The basic idea is, if two devices are close enough, within 6 feet, an infected user could potentially transmit the virus. If somebody is infected, other app users would be notified and could self-quarantine and get tested.

GPS can also be used to determine location. This approach allows health authorities to analyze the geography of the infection spread and take preventative measures. MIT’s SafePaths app, for example, uses GPS technology.

Checkpoint researchers laid out a number of concerns about the apps, including issues with the following:

  • Bluetooth: If not implemented correctly, hackers can trace a person’s device by matching devices and the “identification packets” they send out.
  • GPS: If GPS is used, it can give away sensitive information, revealing where users are traveling and their location during previous days or weeks.
  • Personal data: Apps store contact logs, encryption keys and other sensitive data on devices. This data could be vulnerable if not encrypted and stored in the application “sandbox.”
  • There is also a danger that identity could be exposed if phone number, name or other identifying data is associated with a tracing app.
  • “The jury is still out on how safe contact tracing apps are. After initial review, we have some serious concerns,” Jonathan Shimonovich, Manager of Mobile Research at Check Point, said in a statement.

“Contact tracing apps must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users’ data at risk,” he added.

Google and Apple made news in April when they announced a framework based on Bluetooth for registration of contact events. Each device generates keys to send to nearby devices and the devices store the contact IDs locally.

According to the framework, if a user decides to report a positive diagnosis of COVID-19 to their app, they will be added to the positive diagnosis list – managed by a public health authority – so that other users who came into range of the infected person’s Bluetooth “beacons” can be alerted.

Check Point has offered some pointers on how you can protect yourself from exposing your data:

  • Install apps from reputable stores only such as the App Store and Google Play Store. Those stores only allow authorized government agencies to publish such apps.
  • Use mobile security: install mobile security software to scan applications and protect the device against malware.