Android's exposure notification system has 'implementation' flaws

Joe Hindy / Android Authority

TL;DR

• Google’s exposure notification system on Android may have a flaw in its implementation.
• According to a research firm’s findings, privileged system apps could, theoretically, gain access to the data.
• Google was alerted to the issue in February.

A potential flaw discovered on Android’s COVID-19 exposure notification system could allow preinstalled apps access to sensitive information. This may include personal details about COVID-19 status, advertising IDs, and other device identifiers.

Privacy research company AppCensus (via The Verge) outed the issue in a blog post on Tuesday but first alerted Google of the discovery in February.

COVID-19 status tracking apps use the exposure notifications system to alert users if they’ve been close to infected individuals. This data is stored in a privileged state on Android phones’ system logs, meaning that common apps can’t read this info. However, AppCensus notes that numerous pre-installed apps on Android are granted privileged status and may have access to additional permissions. One of these includes the ability to read system logs and possibly exposure notification data, too.

“A stock Xiaomi Redmi Note 9, for example, has 77 pre-installed apps that we identified, 54 of which have the READ_LOGS permission,” notes AppCensus. “A Samsung Galaxy A11 was found to have 131 privileged apps, 89 of which had READ_LOGS.”

Using this information, along with the proximity identifiers from other users’ devices and personal temporary exposure keys, could theoretically let one determine a user’s health status. There’s no evidence that any apps have gathered any of this data, though.

‘This is a fixable problem’

AppCensus is quick to point out that the exposure notifications system as a whole isn’t a privacy issue, but rather Google’s implementation of it on Android. “To be absolutely clear: this is a fixable problem,” stresses the research firm. It suggests Google prohibit unnecessary logging of exposure data to Android devices “as soon as possible.” It also found no problems with Apple’s implementation on iOS.

According to The Verge, citing The Markup, Google is working on a fix that’s currently “ongoing,” but it’s unclear when it will roll out to the public.

ncG1vNJzZmivp6x7orrDq6ainJGqwam70aKrsmaTpLpwrc2dqaihlGKyubzOrKyrnV2jvLW1xaKamqyZpLtussuarmZpYmd%2Bdn%2BTaA%3D%3D