Abstract
As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents.
Highlights
As this paper is being written, the COVID-19 pandemic has spread across the world (Trackcorona 2020)
Our study focuses on the fulfillment of fundamental legal principles proposed in Hatamian (2020), the extent to which the privacy policy texts of COVID-19 contact tracing apps are correlated with what developers request and what they do in reality, and the discrepancies/similarities in apps’ privacy policies published by the EU and non-EU bodies in terms of covering fundamental privacy principles
Comparing the vulnerabilities detected in work done by (Papageorgiou et al 2018), it can be noted that COVID-19 contact tracing apps have significant and a high number of vulnerabilities. This can be supported by recent security analysis performed on COVID-19 contact tracing using Mobile Security Framework (MobSF) by Sun et al (Sun et al 2020), which shows the same magnitude of vulnerabilities we identified in our app set
Summary
As this paper is being written, the COVID-19 pandemic has spread across the world (Trackcorona 2020). To manage and control the pandemic, countries and regions are taking different approaches. Enacting partial to full lockdown (with an exception of countries like Sweden), mandating safe physical-distancing measures, face mask wearing for general public, measures for closing/reopening schools and universities, encouraging remote working, border control, using manual and digital contact tracing, and using hygiene measures are among the widely adopted strategies to the pandemic (Han et al 2020). Many countries started the the introduction of contact tracing apps to manage and control the spread of the virus (EDPB 2020a). Contact tracing apps should complement and support the manual contact tracing as such a technology may not be able to penetrate in some populations (e.g. children or elderly). Manual contact tracing remains the main method of contact tracing (EDPB 2020a; Ferretti et al 2020)
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
