Pre-installed Android apps can access a device’s system log, which contains sensitive data used to track personal contacts, violating user privacy, researchers said.
It is important to note here that the fault lies in the way this framework was implemented, not in its inherent design flaws. Moreover, no such issues have been found in the iOS version of the app.
According to researchers at AppCensus, the contact tracking system has a privacy loophole so simple you’d think Google would never make such a mistake. And even when AppCensus, a privacy analytics company, reported the bug, Google took no immediate action.
When Google and Apple announced the COVID-19 contact tracking system in April 2020, the companies assured people that their data was completely secure. The data obtained through these applications, which primarily relate to where people go, who they come in contact with, and whether they test positive for COVID, are promised to be anonymous and not shared with anyone except the healthcare providers involved.
Thanks to these assurances, millions of people have since downloaded these applications based on these so-called secure frameworks. However, that doesn’t seem to be the case when it comes to the privacy of Android users.
In the news: Apple iOS 14.5 offers better privacy controls, AirTag support and more.
The system works by storing information on a person’s smartphone about direct collisions with other phones nearby. From the data collected, it can be inferred that two users must be in close proximity to each other. If one of the users is infected or if the meeting involves an encounter with an infected person, the application can perform a risk calculation to estimate the risk of the user being infected.
The two smartphones use random-looking Bluetooth signals, called rolling proximity identifiers (RPIs), to exchange information. These RPIs change every 15 minutes, so the RPI cannot track a specific user. To improve the security of the system, these PIIs are created with keys that change every 24 hours.
It is these PIIs that contain information about whether or not the owner of the phone they came from is infected. The problem is that these RPIs are stored in the system log. While this may seem like a problem, and since 2012 Android’s security controls have prevented ordinary apps from accessing this protocol, there is a catch.
Google allows OEMs, carriers and their business partners to pre-load apps with elevated permissions on phones, meaning they have access to users’ system logs and COVID infection data, as well as anything the contact tracking app decides to include.
These prejudices are common. The base Samsung Galaxy A11 has 131 privileged apps, 89 of which can access this system log with the READ_LOGS permission. There are 77 pre-installed apps on the Xiaomi Redmi Note 9, 54 of which have READ_LOGS resolution.
In the news: Google announces $18 million COVID fund for India, $15 million of which is for ad subsidies.
Of course, Android users are at much greater risk, but you may be surprised to learn that Apple users are also at risk from this vulnerability.
The problem is that sensitive data is captured in system logs that other entities can access.
According to Joel Reardon, co-founder of AppCensus and a forensics expert, this fix involves removing a line that writes sensitive information to the system log. This has no effect on the program and does not change the operation.
In this case, the recorded data may indicate whether a person is infected with COVID or not, the name of his device, his MAC address and the advertising ID of other applications. Since the aforementioned system applications have the necessary permissions to read the system logs, they could theoretically access this data and send it back to their corporate servers.
There is no evidence of this happening yet, but there is nothing to stop companies and developers from doing so.
Reardon tried to bring the problem to Google’s attention and even went so far as to go through the bug bounty program. However, Google’s security team replied that the bug was not enough to warrant a payment and that the security team would decide whether to make changes.
Reardon contacted the 19th. In February, Giles Hogben, director of privacy at Android Engineering, also raised concerns about pre-installed apps that can read log data.
Hogben wrote in an email dated 25. February: system logs could not be read by apps without permissions (only with the privileged permission READ_LOGS) long before Android 11. Yet Reardon insists that hundreds of preinstalled applications can still read system logs.
In the news: Spotify’s mini-player is coming to Facebook for premium users in 27 countries.
The one who writes/cuts/films/owns all the technology, and when he’s not around, switches to virtual machine races. You can contact Yadullah at [email protected], or follow him on Instagram or Twitter.
Privacy settings,How Search works,cell phone privacy,phone surveillance