Security experts have dismissed privacy and spying concerns related to the COVID-19 Alert SA app, saying it gathers no information which can identify you or your location.
On 16 September, President Cyril Ramaphosa urged South Africans with smartphones to download the COVID Alert mobile app.
He said the app has been zero-rated by mobile networks to remove data costs and is completely anonymous.
“It does not gather any personal information, nor does it track anybody’s location,” Ramaphosa said.
In simple terms, the app lets people know when they have been in close contact with someone who has tested positive for COVID-19.
The COVID-19 Alert SA app has been built using Apple and Google’s exposure notification framework.
Instead of using a person’s location, the app uses Bluetooth signals to exchange ‘random codes’ with other COVID Alert SA app users.
This happens when their smartphones are within two metres of each other for more than 15 minutes.
The codes that are exchanged are then stored in a log on each phone for two weeks.
When an app user tests positive for COVID-19, they can report this information on the app anonymously.
Their device then uploads all of the random codes that it has on record for the past two weeks to the exposure notification server.
The server sends these codes to the other users of the app, and if there is a match, the user who has been in contact with the person who has tested positive for COVID-19 is notified.
Users who receive this notification will also be informed on how to self-quarantine, and how to remain healthy.
Security concerns dismissed
Shortly after the COVID-19 Alert SA app was launched, messages started to circulate that the government is using the app to spy on people.
Some of the concerns include that the app identifies people and tracks their movement through location services.
Concerns were also raised about the permissions asked by the app, which include pairing with Bluetooth devices and running at startup.
Security experts dismissed these concerns, explaining the app is completely anonymous and does not use location services.
Mobile app expert Alastair Hendricks said Apple and Google collaborated to create a secure, privacy-preserving way to log exposures between devices using Bluetooth.
He explained the implementation uses random IDs that can’t be used to identify a user or their location.
Instead, your phone periodically checks all the random IDs associated with positive COVID-19 cases on a server against its own list.
“If you test positive for COVID-19, you would log this in the app and it would upload your random IDs,” he said.
“This app does not allow for anyone to track your movements and goes through stringent review with Apple and Google.”
Commenting on why the app launches at startup, he said it’s much more effective if it’s always logging possible exposures.
He added that the app is incredibly privacy-focused and does not include any third-party tracking libraries.
Sensepost CEO Dominic White echoed Hendricks’s views, saying the COVID-19 Alert SA app asks for far fewer permission than what other apps like Facebook require.
“The COVID-19 Alert SA app doesn’t track you in any usable way. Facebook, Instagram, and Takealot are significantly more invasive as apps,” he said.
Alastair Hendricks comments
I’ve received a few messages asking me to clarify some misconceptions out there about South Africa’s Covid Alert App.
Here’s a 🧵 answering the most asked questions.
— Alastair Hendricks (@ali_hen) September 19, 2020
Dominic White comments
Hey, South Africans, I just got forwarded a misinformation video from someone named “Daniel” who claims to be an app developer warning you not to install the COVID Alert South Africa app (https://t.co/ChlzTKpNAu) because of the permissions it requests. Which are: pic.twitter.com/tFAl2WvuLk
— Dominic White 🧬 (@singe) September 18, 2020