COVIDSafe code released, but developers unhappy


Denham Sadler
Senior Reporter

The source code for Australia’s COVID-19 contact tracing app has finally been publicly released, but a group of developers scrutinising the service say it has not been properly open sourced and feedback has been blocked.

The Digital Transformation Agency released the source code for its COVIDSafe app on Friday evening, two weeks after the service was launched nationally, with more than 5 million people having since downloaded it.

The source code, hosted on a GitHub repository, has already been combed over by a number of academics, and legal and digital rights experts.

The DTA said the code was reviewed by government security agencies, academics and industry specialists before the app was released.

Open source software engineer Geoffrey Huntley formed a group of tech experts to analyse the COVIDSafe app when it was first released more than two weeks ago. The group was able to scrutinise the source code before it was publicly released by reverse engineering the Android version.

Melbourne
COVIDSafe source code: Not really following open source best practice*

Mr Huntley said the group uncovered a number of bugs and security vulnerabilities, with some posing a significant threat to privacy. But he said he has struggled to contact the government over these issues, and none have been fixed despite COVIDSafe being given an update last week, which Mr Huntley said was just a “new coat of paint”.

While the source code for COVIDSafe is now public, the government has not followed good open source practice, Mr Huntley said, with no audit trail of the changes made to the code and no way to directly suggest changes or raise concerns around a potential vulnerability, and pull requests disabled.

The National Health Service in the UK has also recently revealed the source code for its own contact tracing app, and this was done in a much friendlier way more conducive to working with the tech community to improve the safety of the service, Mr Huntley said.

The terms and conditions associated with accessing the code has also concerned a number of the tech experts looking to help, he said.

“The Australian tech industry really wants to help make it better, but their actions are absolutely hostile,” Mr Huntley told InnovationAus.

“We want to follow what the NHS did, which is build a healthy community that wants to help out. We have a community of software engineers and experts but they are inhibited from looking at the source code because of the licencing problem,” he said.

“They released the source code but did it in the most political, check-box way and scrubbed all of the history and all of the metadata. There’s no way to know when a bug was fixed and it’s very hard to track at all. They have deleted all of the audit trail and disabled the ability for one to ever happen.”

In contrast to this, the NHS has welcomed feedback on its code and has followed open source best practice, Mr Huntley said.

“They did a big announcement saying that if you’ve got time, space and capacity, can you help us out? The source code is on GitHub, it’s all open source and the software development is happening online as you’d expect with an open source community,” he said.

“Anyone in the world can help them build a better app. [In Australia] the source code has been published online but they’ve disabled the ability for people to submit improvements, they archived the repository and they’ve removed all history from the app, so it’s very hard to see how it was developed.

“It’s not good behaviour if they wanted to build a healthy community – they won’t do that with this approach. This software has been paid for by the Australian public, but it’s not open source and there’s no ability to contribute to it.”

QTE.am executive chair and software developer Jessica Glenn has also been analysing the COVIDSafe source code and shares concerns about the app not being properly open source.

“While the source code has been released for viewing, it is definitely not what would be considered ‘open source’. This distinction is important, it means that read access has been granted for people to view what is inside the code, but that there is no ability for community contribution or collaboration,” Ms Glenn told InnovationAus.

In releasing the code, the DTA did acknowledge it had received feedback on the app and potential issues to be resolved, and launched a new email address to facilitate more responses, support@covidsafe.gov.au.

“While we may be unable to reply to every individual who provides feedback, please know that your feedback will be reviewed and triaged depending on its impact on security and usability. In some instances, the DTA may contact you to gain a deeper understanding about the issues raised,” the DTA said.

The first update for COVIDSafe was rolled out last week, with another expected in the coming days.

The DTA is also working with Apple and Google and told a Senate hearing last week that it would be able to implement a fix for the issues the service is encountering on iPhones in the next fortnight.

The code released on Friday by the government reflects what many in tech community have already revealed about the COVIDSafe app through reverse engineering the Android version, and does only what the government said it would, Ms Glenn said.

“What we do know from the code that was released falls into line with what we were able to find, and what other independent researchers have backed up, when reverse engineering the apps over the last couple of weeks,” she said.

“The application is innocuous, and we haven’t been able to find any malicious code, or intentional overreach. Most of the issues of note are not about the technical implementation of the application.

“The largest issues with the roll-out of COVIDSafe are communications, both with the wider community and the tech community specifically. We have hopes that the communications plan will be improved iteratively.”

*Photo credit: Adam Calaitzis/Shutterstock.com

Do you know more? Contact James Riley via Email or Signal.

Leave a Comment

Your email address will not be published.

Related stories