Mandatory Contact-tracing App Shows Security Problems

When Albion College announced it would re-open in June, it said that it would put health measures in place. This is to help reduce the spread of COVID-19. This includes reduced lecture sizes and virus tests for staff and students. 

It has introduced a mandatory contact-tracing app with a number of privacy issues. The report highlights the problems facing these apps and the institutions that introduce them.

The Aura app is designed to alert the school when a student tests positive for the virus. This is to let students know when they may have come into contact with someone else who has it. 

But rather than relying on local Bluetooth proximity signals to tell when contact has occurred, Aura instead uses location data. It’s a practice that’s been criticized for creating privacy problems.

The approach allows the college to keep tabs on where students are going. It can, in fact, place restrictions on their movements.

Aside from having to install the app, students were told they are not allowed to leave campus without permission. That will be for the duration of the semester. They fear that contact with the wider community might bring the virus back to campus.

If a student leaves campus without permission, the app will alert the school, and his ID card will be locked. Moreover, their access to campus buildings will be revoked, according to an email.

Investigations

Investigations showed other unintentional privacy oversights and secret keys for the app’s backend servers were found in the app’s code. This allowed one researcher to access patient data stored in the app’s databases and in cloud storage. 

They also discovered an issue with the QR codes the app generates. These are designed to confirm whether or not someone has tested negative for the virus.

A network analysis tool showed that the QR code was not generated on the device. Instead, it was generated on a hidden part of Aura’s website. 

The web address that generated the QR code included the Aura user’s account number.  However, isn’t visible from the app. 

If the account number was increased or decreased in the web address by a single digit, it generated a QR code for that user’s Aura account.

Because they could see another user’s QR code, they could also see the student’s full name. They could see their COVID-19 test result status and what date the student was certified or denied.

These most dire issues have since been fixed by the app’s developers. However, one security researcher said that they pointed towards the app being a “rush job.” 

The incident raises questions about the contact-tracing software being rolled out in other institutions around the world. An investigation could an important light on the problems it could cause.