An Empirical Assessment of Global COVID-19 Contact Tracing Applications

The rapid spread of COVID-19 has made traditional manual contact tracing to identify persons in close physical proximity to a known infected person challenging. Hence, various public health authorities have experimented with automating contact tracing with mobile apps. However, these apps have raised security and privacy concerns. In this paper, we propose an automated security and privacy assessment tool - COVIDGuard - which combines identification and analysis of Personal Identification Information (PII), static program analysis, and data flow analysis, to determine security weaknesses and potential private information leakage in contact tracing apps. Furthermore, in light of our findings, we undertake a user study to investigate user concerns regarding contact tracing apps. We hope, COVIDGuard and the issues raised through responsible disclosure to vendors, the concrete guidelines provided, as well as the identified gaps between user requirements and app performance we found, can contribute to the development and deployment of mobile apps against COVID-19 and help us build secure and effective digital contact tracing solutions.