Problems with the government’s coronavirus contact tracing app on Android phones could leave them open to being tracked for days.
Jim Mussared, the software developer who discovered the bugs, says they’re easily fixed.
“All this started because I wanted to explain to my friends why they should install the app,” he said.
“If you’re in any way in a vulnerable situation for which long-term, multiday device tracking could be a major threat, do not install the app,” he said.
Update on COVIDSafe analysis. Two serious Android issues, reported in as many ways I can find. Also, the iPhone app likely works in the background in most scenarios, despite claims to the contrary (there has been some misunderstanding of how it works).
— Jim Mussared (@jim_mussared) April 29, 2020
However, his recommendation would still be for most people with Android phones to install the software.
For iPhones, he says while the problems that open up potential tracking aren’t there, COVIDSafe doesn’t reliably work unless the app is actively in use.
His advice is similar to that given by WESNET, an organisation that offers technology safety advice for domestic violence victims.
It says people whose abusers have sophisticated technical abilities should think about their specific personal circumstances before downloading the app. If they do install it, it says, they should consider leaving their phone behind during any meetings they might want to keep secret.
The first issue Mr Mussared found in the Android app relates to the way an anonymous ID is requested from the server every two hours and could result in a phone being allocated the same identifier for days on end.
A second, similar problem relates to unique information Android phones send out even if the temporary ID changes.
He discussed the bugs with the government agency in charge of the COVIDSafe app on Monday, more than a week after he first found and reported them.
“I just want this app fixed. I haven’t slept for eight days, right, I’ve worked tirelessly to get attention to these issues,” he said.
“I’m not out there to try to facilitate people doing creepy things.”
Health Minister Greg Hunt said five million Australians have downloaded the app, about a third of the adult population the federal government has urged to do so.
“I’m delighted that Australia is now passed five million downloads and registrations of the COVIDSafe app,” he said on Wednesday.
“A technology sector leader said to me yesterday that it took Facebook 10 months globally to achieve their first one million users.
“Australians together have, in less than 10 days, achieved five million downloads and registrations. And that’s an extraordinary achievement.”