Android bug exposed sensitive data to pre-installed apps

The Android version of Google and Apple’s COVID-19 exposure notification app had a privacy flaw which was revealed by the AppCensus, the privacy analysis firm. Apparently, the flaw led the other preinstalled apps access to sensitive data, including of someone who has been in contact with a COVID-19 positive tested person. Google says that they are currently rolling out to fix the bug.

Repeated promises were made by Google CEO, Sundar Pichai, Apple CEO, Tim Cook, and other various public health officials that the data collected by the exposure notification program won’t leave one’s phone.

Fixing the issue would be as simple as deleting a few non-essential lines of code, stated Joel Reardon, co-founder and forensic lead of AppCensus, as reported by The Markup. He further added that “it’s such an obvious fix, I was flabbergasted that it wasn’t seen as that.” The privacy analysis firm first reported the bug to Google in February but the tech giant failed to address it.

As part of a contract with @DHSgov, we have been examining the privacy behaviors of contact-tracing apps.

In mid-February, we disclosed to Google a serious privacy vulnerability in their Android implementation of the Google-Apple Exposure Notification (GAEN) framework.

1/3

— AppCensus (@AppCensusInc) April 27, 2021

As for Android phones, the contract tracing data is logged in privileged system memory, where it is non-accessible to most software running on the phone. On the other hand, the apps that are preinstalled by the manufacture get special privileges that will allow them access to those data. At this point, there is no indication that any app has actually collected the data, said Reardon.

In the past, other investigations have shown that preinstalled apps have taken advantage by sometimes harvest geolocation information and phone contacts.