Apple-Google Exposure Notification has a privacy flaw on Android

The Android version of the Apple and Google Exposure Notification system reportedly has a flaw that may have leaked sensitive data to a device's preinstalled apps.

Back in 2020, the two tech giants unveiled the collaborative project as a way to help mitigate the spread of coronavirus. Although Apple and Google promised that the system would be privacy-respecting, a new report suggests that may not be the case on Android.

According to The Markup, a flaw in the system could let preinstalled apps on an Android device see sensitive information, such as if a user has been in contact with another person who tested positive for COVID-19.

The issue lies in the fact that contract tracing data is stored in privileged system memory on Android devices. While that memory is normally inaccessible to other apps, preinstalled apps from manufacturers can see those logs because of special privileges. There is no indication that any apps have abused the flaw, however.

App privacy analysis firm AppCensus discovered the flaw and reported it to Google in February. As of Tuesday, the issue has yet to be resolved.

Google says that updates to fix the issue are currently "ongoing." However, according to AppCensus, fixing the issue would only require deleting a few "nonessential" code strings.

According to The Markup and researchers at AppCensus, the iPhone version of the exposure notification system does not have any similar vulnerabilities.

4 Comments

ihatescreennames 19 Years · 1977 comments

About 3 years ago

“Google” and “privacy-respecting” probably don’t belong in the same sentence. Who is surprised by this? Facebook has probably already linked that data to it’s users.

22july2013 11 Years · 3736 comments

AppleInsider said:

The issue lies in the fact that contract tracing data is stored in privileged system memory on Android devices. While that memory is normally inaccessible to other apps, preinstalled apps from manufacturers can see those logs because of special privileges. There is no indication that any apps have abused the flaw, however.

Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me.

derekmorr 16 Years · 237 comments

22july2013 said:

Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me.

It’s no such thing. The issue is the use of the READ_LOGS app permission on Android. That permission let’s apps read system log files. It was intended for use for debugging apps. Back in 2012, Google changed the OS so that third party apps could no longer obtain this permission. This change was intended to protect user privacy by disallowing third party apps from reading potentially sensitive data.

EsquireCats 8 Years · 1268 comments

derekmorr said:

22july2013 said:

Apple's apps are required to have no special privileges, when compared with Apple's competitors, so why do Google's Android vendors get away with it? Sounds like an antitrust violation to me.

It’s no such thing. The issue is the use of the READ_LOGS app permission on Android. That permission let’s apps read system log files. It was intended for use for debugging apps. Back in 2012, Google changed the OS so that third party apps could no longer obtain this permission. This change was intended to protect user privacy by disallowing third party apps from reading potentially sensitive data.

beggars belief that such a function was ever available outside the test environment

Share Your Thoughts on our Forums ->