UK government Covid tracking app: what we found

As the UK is about to launch its app to trace potential Coronavirus patients; as it launches its 'pilot' we look at its technical functionalities.

Key findings
  • Our analysis of the NHSX app reveals that there is no mechanism to opt-in or opt-out of third-party trackers which are included with the app
  • It seems that the app would only work when it is operating on the foreground, particularly on iOS devices, making its efficacy questionable
  • The app is incompatible with a range of older Android devices, potentially putting the most vulnerable, such as the elderly or those on low incomes, at risk
Long Read
NHS

Courtesy of Marco Verch (CC BY 2.0)

This week saw the release of a coronavirus tracking app within the United Kingdom, initially to be trialled in the Isle of Wight. Privacy International has been following this closely, along with other ‘track and trace’ apps like those seen in over 30 other countries.

The UK’s app is no different. It is a small part of a public health response to this pandemic. As with all the other apps, it is vital that it be integrated with a comprehensive healthcare response, prioritise people, and minimise data. It must empower people so that they know that their data and their devices are secure, and any new functionality must be destroyed at the end of this global pandemic. Our broader look at apps being used to fight COVID19 is available here.

PI was fortunate enough to be given early access to the UK NHS COVID19 tracker (Also know as CoLocate or Solar) as it entered its trial period. PI is investigating both the Android and iOS implementations of the app. Although we plan to do a deeper technical investigation soon, here is what we know so far, along with our concerns in the wider security and privacy contexts.

What we know

We appreciate that this app’s development cycle has been accelerated, and that the current form of the app at time of writing may only be the most minimum of viable products, however it is already being touted by politicians and press in the UK as something that will assist in the easing of current lockdown conditions.

To date, PI has only looked at the app functionally, its associated documentation, and run it through our own internal Exodus Privacy instance. Exodus Privacy does basic “static analysis” (programmatically looking at the code for trackers and permissions) on Android installer packages. We will cover this in three parts, what we can learn from the Apple App Store and Google Play Store documentation, what we can learn from the permissions the app requests, and finally how those permissions interact with the functionality.

App Store Metadata

Both the Apple App Store and Google Play Store link to a Privacy Policy on the https://covid19.nhs.uk website, which is separate from the main NHS privacy statement. The iOS version also includes a link to the software license, which in this case is an open-source MIT License. While we would commend the NHS for distributing this software under such a permissive license (as it makes the legal barriers of doing deeper security and privacy research using techniques such as decompilation considerably less onerous), the use of such a permissive license poses a number of issues, this includes allowing individuals to sell the NHS COVID tracking app if they so wish.

…without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,

 

We have concerns that this could lead to copycat apps being spread that trick users into installing them, these would erode users’ trust and could compromise users’ devices if these apps have malicious behaviours, a topic which PI has previously highlighted concerns around.

The MIT Licence as it appears in the iOS app store

Lastly, in relation to licensing, the software is provided without any warranty; “As-is”. This would appear peculiar for an app being targeted directly at a public health initiative by a government, although the NHS may be giving other guarantees elsewhere.

Permissions

Having downloaded the app, we parsed it through our own version of the Exodus tool, by Exodus Privacy, to examine its permissions and trackers (a topic we have covered many times here, here and here).

The permissions detected by Exodus can be seen below:

Most of these permissions aren’t surprising, or indeed particularly harmful in a conventional sense, although they do directly contradict assertions made by UK Government Ministers. For instance, the WAKE_LOCK permission will (as Exodus summarises) stop the phone from “going to sleep”, a crucial mode for saving battery capacity. That the app prevents sleeping will cause, by design, accelerated battery drain. Most of the remaining permissions are either related to maximising when the app is available or manipulating Bluetooth access.

As Exodus highlights, two of the permissions are marked “Dangerous or Special”, meaning they require specific consent to operate properly. These permissions relate to the collection of location data (a byproduct of the ‘Bluetooth Low Energy tracking’ the app employs). Although we don’t believe the app to be using location data at this time, this could be changed subsequently and the permission would have already be granted (e.g access to GPS). This would mean additional, very accurate data about the users’ location could be collected without additional consent.

Functionality

Early tests by us on multiple phones suggest that the app works as described when in the foreground of both Apple and Android devices. We have yet to do analysis of what data is being transmitted between devices, what data is being shared with the NHS, or what is sent to the two third-party trackers included with the app (shown below)

 

Until we do further analysis we won’t be sure around what data if any these trackers are collecting and with whom those data is being shared with. Within the app’s workflow there is no method to opt-in (or opt-out) to analytics or third party tracking – this means if any personal data such as unique identifiers (e.g. your phone’s Google Advertising ID) are being sent to third parties without consent for non-healthcare-related purposes, this could be a breach of the General Data Protection Regulation (GDPR).

We note (along with other commentators) that the Apple version of the app uses surprisingly little energy (battery) as it runs. This suggests that the app may not, in fact, be functioning correctly – we suspect it isn’t actually sending Bluetooth beacons, in line with Apple’s developer documentation that background Bluetooth scanning is prohibited. We are hoping to test this further soon.

The app installed successfully on only two of five Android devices we had available, even though we were assured that the app would work on Android 6+ devices:

Android: App is working on these devices
  • Google Pixel (1) - Stock Android 10
  • LGE/Google Nexus 5 - CM/Lineage Android 8.1
Android: App failed to work on these devices
  • ASUS/Google Nexus 7 (2013) - Stock Android 6.0.1
  • LGE/Google Nexus 5 - Stock Android 7.1
  • Amazon Fire HD 8 - Incompatible Android/No Google Play Store
iPhone the app worked on both devices:
  • iPhone 7
  • iPhone SE (2020)

Who are these apps for?

Privacy International has been working for the past year on the question of whether those with the cheapest phones are being excluded from society or being otherwise exploited. The cursory testing we have completed of this latest app seems to suggest that only those with modern smartphones will be eligible to run it. This means it is likely to exclude those who can only afford cheaper phones, and most likely people on lower incomes. It is of note that those who are on the lowest incomes are disproportionately likely to be key/essential workers and the elderly, who are at most risk/exposure.

The fact that the app must be in the foreground to be effective makes its usefulness highly questionable. Many workers who are putting themselves at risk, and are also a likely conduit for the spreading of the virus, will be unable to have the app open while working. For example Uber drivers, Deliveroo and Amazon deliverers all use those companies apps when completing tasks. Even the NHS’ own responders using the GoodSAM app may have difficulty using the NHS COVID19 while completing their duties. This makes the app’s data collection spurious. This is before entering into the debate that the app uses self-reporting rather than medical testing to assess if an individual has coronavirus.

Although we commend the NHS for attempting to innovate in the climate of an unprecedented public health crisis, it would appear that governmental pressure has stifled these apps’ ability to be of realistic help to the public. In its current state, its hard to quantify if it offers any benefit to the public. In a time when people are looking for care and clarity, this app provides only capricious uncertainty.

Glossary

Bluetooth

A protocol to transmit data on short distances