Dissecting contact tracing apps in the Android platform

TL;DR

This study provides a detailed analysis of European Android contact tracing apps, revealing their strengths and vulnerabilities through static and dynamic examination to assess security and privacy risks.

Contribution

It offers a comprehensive static and dynamic analysis of official Android contact tracing apps, identifying security weaknesses and privacy concerns.

Findings

Apps are generally well-engineered but contain vulnerabilities.

Potential security weaknesses include trackers and misconfigurations.

Privacy risks are associated with certain app behaviors.

Abstract

Contact tracing has historically been used to retard the spread of infectious diseases, but if it is exercised by hand in large-scale, it is known to be a resource-intensive and quite deficient process. Nowadays, digital contact tracing has promptly emerged as an indispensable asset in the global fight against the coronavirus pandemic. The work at hand offers a meticulous study of all the official Android contact tracing apps deployed hitherto by European countries. Each app is closely scrutinized both statically and dynamically by means of dynamic instrumentation. Depending on the level of examination, static analysis results are grouped in two axes. The first encompasses permissions, API calls, and possible connections to external URLs, while the second concentrates on potential security weaknesses and vulnerabilities, including the use of trackers, in-depth manifest analysis, shared software analysis, and taint analysis. Dynamic analysis on the other hand collects data pertaining to Java classes and network traffic. The results demonstrate that while overall these apps are well-engineered, they are not free of weaknesses, vulnerabilities, and misconfigurations that may ultimately put the user security and privacy at risk.