A Security & Privacy Analysis of US-based Contact Tracing Apps

With the onset of COVID-19, governments worldwide planned to develop and deploy contact tracing apps to help speed up the contact tracing process. However, experts raised concerns about the long-term privacy and security implications of using these apps. Consequently, several proposals were made to design privacy-preserving contact tracing apps. To this end, Google and Apple developed the Google/Apple Exposure Notification (GAEN) framework to help public health authorities develop privacy-preserving contact tracing apps. In the United States, 26 states used the GAEN framework to develop their contact tracing apps. In this paper, we empirically evaluate the US-based apps to determine 1) the privileges these apps have, 2) if the apps comply with their defined privacy policies, and 3) if they contain known vulnerabilities that can be exploited to compromise privacy. The results show that all apps violate their privacy policies and contain several known vulnerabilities.