Much has been made of the UK Government’s attempt to develop a COVID-19 tracing app for England (the devolved administrations have taken a different tactic).
In order for the app to be a useful tool to suppress the virus, large scale adoption is required – estimates indicate that 80% of smartphone users will need to download the app for it to have the desired impact. Adoption of this scale will only occur if citizens trust the tool.
Centralized vs. Decentralized Data Collection
The UK government found itself in a whirlwind of bad press when they chose a “centralized” data model, going against the recommendations of cybersecurity experts to use a “decentralized” approach. The centralized model gathers all the tracking data to a single government managed database. This means, in theory, that the government can access all the data and that there is a single “honey pot” for attackers to target. With a decentralized approach, the data and its processing are spread across all the phones running the app—and each phone only receives the data it needs to know.
While a decentralized model is better in practice, the reality is that for the use of tracing COVID-19, the benefits of a decentralized approach are minimal. When considering certain factors, it is easy to see why a simpler centralized approach was chosen. The data required for tracing is small and does not include intimate personal details. The time window for the app’s utilization is also (hopefully) short and users will be able to delete the app in a few months.
The Necessity of Secure Source Code
Following the Cambridge Analytica scandal and the recent publicity around Tiktok, the general population is more aware than ever about the privacy risks of sharing personal data online. While this doesn’t keep people from sharing data, they do want to know that their information will only be used for the intended purposes.
The cybersecurity challenges for the UK’s COVID-19 app really began when the source code was released. Presumably, the government released the source code in an attempt to handle the bad press after choosing a centralized data model. The release was meant to provide transparency. During the dilemma, BBC News even provided a link to the github repository so anyone could download it. While transparency in government is normally a good thing, in this instance it showed a complete lack of understanding when it comes to mobile app security.
In an attempt to spin bad press, releasing the source code actually exposed valuable information to malicious hackers.
Source Code in the Hands of Hackers
One of the most popular forms of cyber attacks is to create an imitation version of a popular app, then trick (or “phish”) vulnerable users into downloading it. Historically, 86% of malware has been delivered this way. One of the highest profile examples of this was ad-riddle versions of Pokémon Go that claimed to circumvent geofencing restrictions.
Normally, attackers will spend time crafting the imitation to ensure that it looks and acts as close as possible to the original version. The longer a user thinks they’re using the original app, the longer the malware stays undetected on their phone. By releasing the source code, attackers were given everything they needed to create the perfect imitation app.
Utilize App Protection to Keep Citizens and their Data Secure
The exposed source code along with the COVID-19 pandemic created the perfect storm for hackers—an unsettled population of people being told by their government to install an easily-imitated app. If cybercriminals posed as the NHS and sent links to download an imposter app via text message or email, how many citizens would take the malicious bait? In today’s climate, this kind of attack is becoming commonplace. Verimatrix recently reported about the dramatic rise in phishing attacks during COVID-19.
Other countries are using App Shielding technology – including Verimatrix’s – to protect their tracing apps from reverse engineering. This is best practice, and it makes it much more difficult for criminals to create malicious copies of an app while ensuring the integrity and privacy of the data it processes.
As for the UK Government’s app, it is currently suffering from development difficulties. Beyond a limited trial in the Isle of Wight, it has yet to be rolled out.