The Covid-19 Exposure Alert System for Android, developed jointly by Google and Apple, has a security flaw that allows apps pre-installed on the system to access confidential data. The information was revealed last Tuesday (27/04) by AppCensus, a digital privacy analysis company. Google will release a fix for the app.

AppCensus says it first identified the Android security flaw in February, but Google was unable to fix it. In an interview with the website The Markup, the analyst firm's co-founder, Joel Reardon, says the fix for the problem is as simple as deleting non-essential code from the program. "It's such an obvious solution that I was surprised to see it wasn't," he said.

The exposure alert system Covid-19 on Android works through signals emitted via Bluetooth between the user's cell phone and other devices enabled on the system. If one of the users tests positive for coronavirus, they can contact health authorities to send an alert to any phone with the app. In Brazil, this functionality is available on the app Coronavirus-SUS, developed by the Ministry of Health.

Update is “in progress”

According to Google spokesperson José Castañeda, updates to the system are ongoing. “We were notified of an issue where Bluetooth identifiers were temporarily accessible to system debugging apps, but we immediately began deploying a fix to resolve the issue,” he said in an emailed statement to The Markup.

Despite the Android security flaw, AppCensus CTO Serge Edelman stated, via Twitter, that users must maintain trust in public health technologies. According to him, this is an implementation problem in the system and not a reliability problem. “Vulnerabilities will always be discovered, but we all have to work together to remedy these problems,” he said.

AppCensus' analysis found no security issues in the iOS version of the COVID-19 tracking system.

Through which channels you reach those people, classic and out of the box. The Verge

Image: Markus Winkler/Unsplash/CC