The code for the COVID-19 contact tracing app national database and algorithm used to sort through contacts needs to be made public so its security can be fully and independently confirmed, a number of developers have said.
Late last week the Digital Transformation Agency publicly released the source code for its COVIDSafe app, which uses Bluetooth technology to record contact with other users locally and encrypted on the device.
If a user tests positive for COVID-19, they then give permission for this data to be sent to a national datastore run by AWS, with an algorithm then used to sort through these contacts and send the relevant ones to state or territory health authorities to conduct contact tracing.
But the code released was only for the Android and iOS app and not for any of the backend operations of the service.
Digital Rights Watch chair Lizzie O’Shea said this element of the contact tracing technology is most important to be independently scrutinised.
“We’re only halfway. Most people are less concerned with what is happening on their device than what the government is doing with their information once they have it, and rightly so. This distrust comes from both bungled projects like the census and deliberate misuse like robodebt,” Ms O’Shea told InnovationAus.
“The only way the government can start to address this is with complete transparency, and that means not only releasing the app source code, but the code from their end too. Everyone wants to believe they’re only doing what they’ve said they’re doing. The only way to be certain is for them to release the rest of the ode.”
The DTA has confirmed that it will not be making this code public due to security concerns.
“To protect the privacy of Australians, the government will not be releasing source code for the National COVIDSafe server, nor will we share the algorithm that will be used to convert encrypted data into meaningful information for health officials,” the DTA said in a statement.
But cryptography expert and Thinking Cybersecurity chief executive Dr Vanessa Teague said it would be safe to release all of this information if it was done in a proper and secure manner.
“If it isn’t broken, they don’t need to keep it secret,” Dr Teague told InnovationAus.
“It’s so the security community can examine what they’re doing and look for bugs and help them fix them. Exactly as the community of people who know about Bluetooth are now doing with their Bluetooth bugs.
“We can look at what the app is uploading, and how secure the app itself is, which is great. But we don’t really know what’s in those ‘encrypted’ Bluetooth pings we’re all sending around unless we get code and / or documentation describing how it works,” she said.
“At the moment we don’t even know whether they’ve followed the Singaporeans in using 256 bit AES-GCM or made up their own.”
Qte.am executive chair and software developer Jessica Glenn, who has been analysing the COVIDSafe source code since the app was first launched two weeks ago, said the official release last week of the app code didn’t provide any additional assurance around the service’s security.
“The code that was released was only for the applications, not any of the backend code. So while researchers are able to confirm the things that we have seen in the reverse engineering of both the iOS and Android application, we have no more clarity around how contacts are filtered, accessed or secured,” Ms Glenn told InnovationAus.
“This is an impediment to security researchers in particular.”