You should be more scared of Facebook than the COVID-19 Alert SA app

When President Cyril Ramaphosa announced last week that South Africa would move to lockdown level 1, he urged the public to download the COVID-19 Alert SA app.

This application is designed to prevent the spread of the coronavirus by notifying you if you have come into contact with somebody that has tested positive for COVID-19.

It is available to download for free from the Google Play and Apple App Store, and it is zero-rated by the mobile networks.

Ramaphosa also told South Africans during his address that the application is completely anonymous and does not track your personal data or location.

This is because the app uses Bluetooth, and not location tracking, to exchange encrypted codes with other app users that determines whether they were in contact with each other.

The exchange of codes happens when their smartphones are within two metres of each other for more than 15 minutes, and these codes are stored for two weeks.

When an app user tests positive for COVID-19, they can report this information on the app anonymously.

Their device then uploads all of the random codes that it has on record for the past two weeks to the exposure notification server, which notifies other uses accordingly.

Unfounded security concerns

Following Ramaphosa’s recommendation that South Africans install the app, false messages began to circulate that the app would invade citizens’ privacy and was being used to spy on them.

A number of false messages state that the app can be used to track their location and identify users in real-time.

While security experts have already refuted these alarmist narratives, there is a simple and effective way to determine the intrusiveness of a mobile application on your privacy – the app’s permission list.

This was shown by Orange Cyberdefense South Africa manager Dominic White, who pointed out on Twitter that the permissions of the app disprove the misinformation spreading about the security of the application.

Applications downloaded from the Google Play and Apple App Store cannot access any of your personal data, location information, or other hardware features without asking permission from the operating system first.

By inspecting these permissions, it is clear that even if the COVID-19 Alert SA application was programmed to monitor user location or access personal data, it would be unable to do so as it does not have the required permissions.

In contrast, a number of social media apps require virtually unrestricted permissions to function correctly, making them far more likely to track your location and personal data.

We compared the permissions required by the COVID-19 Alert SA app with those required by one of the social platforms where the misinformation about the application spread most virulently – Facebook.

All permission data was sourced from the Google Play Store at the time of writing.


COVID-19 Alert SA Permissions

Below are the full permissions for the Android version of the COVID-19 Alert SA app, as detailed on the Play Store:

  • View network connections
  • Pair with Bluetooth devices
  • Full network access
  • Run at startup
  • Prevent device from sleeping

Each of these permissions is understandably required within the scope of the application’s operations.

For example, network access would be needed to send or receive encrypted codes while running at startup and preventing the device from sleeping allows the app to continue monitoring your proximity to other people without your intervention.

Pairing with Bluetooth devices is obviously necessary, as this is the method by which the app can anonymously and privately trade tokens with others you come into contact with.

Note that no personal or location information is exposed. Neither does the application have any access to your microphone, file system, or any other sensitive interface.


Facebook Permissions

It is immediately apparent, when comparing the permissions above with those of an app like Facebook, that there is far more cause for privacy concerns with the latter software.

Everything from your camera and microphone to your file system and the names of the other apps you are running in the background is exposed to Facebook.

While the company may state it uses these permissions only when necessary, it has historically been the case that major platforms like Facebook have been inadvertently or purposefully abusing this level of access into their users.

Below is the full list of permissions required by Facebook’s Android app, which shows clearly that it should be far more worrying to download than the COVID-19 Alert SA app:

Device and app history

  • Retrieve running apps

Calendar

  • Add or modify calendar events and send email to guests without owners’ knowledge
  • Read calendar events plus confidential information

Location

  • Precise location (GPS and network-based)
  • Approximate location (network-based)

Microphone

  • Record audio

Phone

  • Read phone status and identity
  • Directly call phone numbers

Identity

  • Find accounts on the device
  • Add or remove accounts
  • Read your own contact card

Storage

  • Read the contents of your USB storage
  • Modify or delete the contents of your USB storage

Wi-Fi connection information

  • View Wi-Fi connections

Photos/Media/Files

  • Read the contents of your USB storage
  • Modify or delete the contents of your USB storage

Camera

  • Take pictures and videos

Device ID and call information

  • Read phone status and identity

Contacts

  • Find accounts on the device
  • Modify your contacts
  • Read your contacts

Other

  • Download files without notification
  • Receive data from Internet
  • Read TV channel/program information
  • Write TV channel/program information
  • Send sticky broadcast
  • Connect and disconnect from Wi-Fi
  • Change your audio settings
  • Modify system settings
  • Read sync settings
  • Install shortcuts
  • Read battery statistics
  • Run at startup
  • Prevent device from sleeping
  • View network connections
  • Pair with Bluetooth devices
  • Toggle sync on and off
  • Full network access
  • Control vibration
  • Read Google service configuration
  • Change network connectivity
  • Access Bluetooth settings
  • Control Near Field Communication
  • Create accounts and set passwords
  • Draw over other apps

Facebook vs COVID-19 Alert SA Permissions

Permission Facebook COVID-19 Alert SA
Other
View network connections Yes Yes
Pair with Bluetooth devices Yes Yes
Full network access Yes Yes
Run at startup Yes Yes
Prevent device from sleeping Yes Yes
Download files without notification Yes No
Receive data from Internet Yes No
Read TV channel/program information Yes No
Send sticky broadcast Yes No
Connect and disconnect from Wi-Fi Yes No
Change your audio settings Yes No
Modify system settings Yes No
Read sync settings Yes No
Install shortcuts Yes No
Read battery statistics Yes No
Control vibration Yes No
Read Google service configuration Yes No
Change network connectivity Yes No
Access Bluetooth settings Yes No
Control Near Field Communication Yes No
Create accounts and set passwords Yes No
Draw over other apps Yes No
Device and app history
Retrieve running apps Yes No
Calendar
Add or modify calendar events and send email to guests without owners’ knowledge Yes No
Read calendar events plus confidential information Yes No
Location
Precise location (GPS and network-based) Yes No
Approximate location (network-based) Yes No
Microphone
Record audio Yes No
Phone
Read phone status and identity Yes No
Directly call phone numbers Yes No
Identity
Find accounts on the device Yes No
Add or remove accounts Yes No
Read your own contact card Yes No
Storage
Read the contents of your USB storage Yes No
Modify or delete the contents of your USB storage Yes No
Wi-Fi connection information
View Wi-Fi connections Yes No
Photos/Media/Files
Read the contents of your USB storage Yes No
Modify or delete the contents of your USB storage Yes No
Camera
Take pictures and videos Yes No
Device ID and call information
Read phone status and identity Yes No
Contacts
Find accounts on the device Yes No
Modify your contacts Yes No
Read your contacts Yes No

Now read: South Africa’s COVID-19 Alert app is safe and you should install it – Security experts

Latest news

Partner Content

Show comments

Recommended

Share this article
You should be more scared of Facebook than the COVID-19 Alert SA app