A Security & Privacy Analysis of US-based Contact Tracing Apps

TL;DR

This paper empirically evaluates US-based contact tracing apps built on the GAEN framework, revealing privacy violations and vulnerabilities that compromise user privacy and security.

Contribution

It provides a comprehensive analysis of privacy policy compliance and security vulnerabilities in US GAEN-based contact tracing apps.

Findings

All apps violate their stated privacy policies.

Several known vulnerabilities are present in the apps.

Apps have privileges that may lead to privacy breaches.

Abstract

With the onset of COVID-19, governments worldwide planned to develop and deploy contact tracing (CT) apps to help speed up the contact tracing process. However, experts raised concerns about the long-term privacy and security implications of using these apps. Consequently, several proposals were made to design privacy-preserving CT apps. To this end, Google and Apple developed the Google/Apple Exposure Notification (GAEN) framework to help public health authorities develop privacy-preserving CT apps. In the United States, 26 states used the GAEN framework to develop their CT apps. In this paper, we empirically evaluate the US-based GAEN apps to determine 1) the privileges they have, 2) if the apps comply with their defined privacy policies, and 3) if they contain known vulnerabilities that can be exploited to compromise privacy. The results show that all apps violate their stated privacy policy and contain several known vulnerabilities.