Security Risks of Mobile Apps for Covid-19 Contact Tracing

In the last few months, the novel coronavirus has swept the world. To date, over 3 million people have been infected worldwide, and by March a full 20% of the global population was under some form of lockdown or stay-at-home orders.

Amidst this scary situation, many companies, governments, and other organizations are making efforts to use mobile applications to help healthcare professionals. For example, our customer Allego created an app  to host ventilator manuals, with the goal of making it easy to train frontline medical professionals on how to use these crucial pieces of equipment. (If you know a healthcare professional looking for ventilator manuals, please feel free to share the Ventilator Training Alliance with them.)

There are countless other inspiring stories of people from all industries and walks of life collaborating to help solve this crisis. But when it comes to mobile development, there is an emerging category of coronavirus-focused apps: contact tracing apps. 

Recently, Guardsquare’s Chief Scientist, Grant Goode, wrote about the risks of contact tracing apps for SC UK. In this post, we explore the core risk areas of mobile healthcare apps—like contact tracing apps.

A Rise in Contact Tracing Apps

Contact tracing is a way to track the spread of diseases by understanding when individuals with a positive diagnosis come into contact with others. This process is often done manually by humans, but when a disease is as contagious as the novel coronavius, public health professionals get outpaced by the spread.

Thus, organizations like the NHS, cities in China, and many others have created mobile apps to trace Covid-positive contacts. These efforts are controversial for multiple reasons, including privacy concerns around the role and reach of governments.

What we think about the most at Guardsquare is mobile application security—what are the risks around these apps, and how can developers proactively protect them?

A Target for Hackers and a Risk for Organizations

Hackers may be interested in these apps for several reasons, including to:

• Create confusion amongst the population
• Reduce trust in governments and other organizations

In addition, hackers may be able to use these apps for scams. Depending on how they’re built and the kind of data they gather, some apps may contain highly sensitive information, like health conditions, diagnoses, and other personally identifiable information. Any data that can identify a specific individual is valuable to hackers, and so these apps could become attractive targets for bad actors. 

If hackers were to compromise an app, this could cause big problems for app-makers. Health information is legally protected in many countries; for example, by HIPAA in the USA. In addition, there are other statewide, national or international data privacy regulations that may come into play during a hack, such as GDPR. In short: organizations could lose out in terms of both finances and reputation, if a contact tracing app was compromised.

Building Healthcare Apps with Security in Mind

When creating contact tracing or other healthcare apps, developers should embed security testing into their process as much as quality-testing. As with mobile apps across all industries, contact-tracing apps can benefit greatly from increased security protections. Three core ways to strengthen security are:

• Implement Code Hardening: Techniques that obfuscate an app’s code prevent hackers from reverse-engineering apps to extract sensitive information, tamper with the code, inject malware, etc.
• Build In Runtime Application Self-Protection (RASP): RASP monitors the integrity of the application and its runtime environment and automatically responds to detect threats.
• Activate Real-Time Threat Monitoring: Enact monitoring solutions and processes that quickly identify when something unusual is happening within an app, so risks can be mitigated and security measures reinforced.

While much is still unknown about the future of contact tracing apps, healthcare apps aren’t going away anytime soon. Regardless of their specific function, mobile applications will continue to be used for medical work. This could have a positive benefit to healthcare, making it faster, easier, and more effective. But, like all mobile apps, the developers of these tools will need to take great care in ensuring the security and privacy of their users.