More than 3 million Australians have downloaded COVIDSafe, but concerns remain about the performance of the federal government’s coronavirus contact tracing app on iPhone and other software bugs.
- Since its release, software engineers have been dissecting the COVIDSafe application
- Bluetooth capability of the app may be limited on iPhone if the app is not “foreground”
- Bugs were found in the registration process, including one that may affect Telstra’s rural customers
The app, which aims to speed up the process of identifying people who may have been exposed to COVID-19, uses Bluetooth to save the encrypted identifiers of nearby devices that also have the app.
Almost a week after launch, the government has yet to release its source code, but that hasn’t stopped software specialists from dissecting it.
Industry consensus so far suggests that the app works largely as described – it does not collect your GPS location and removes all information held on the app for more than 21 days – but that part of its design could be improved.
“Considering the time frame in which they got through, this is a pretty good initial release,” said Jessica Glenn, executive president of tech company QTE.am, who analyzed the app.
“There are a few bugs, but it’s inherent in all software. I imagine we’ll see a lot of them fixed in the next update.”
The government made no comment when asked for details on the timing of the first update of the COVIDSafe software.
IPhone problems remain
Whether COVIDSafe works efficiently on iPhone remains a key issue.
The software works best when the iPhone is unlocked and the app is open onscreen, according to the Digital Transformation Agency (DTA), which oversees the project.
A spokesperson for DTA admitted that there are limitations to Bluetooth functionality when an app is running in the background on an iPhone.
“When [an app] running in the background, there may be some variability in digital handshakes on iOS devices, ”he said, or its ability to exchange signals with other apps on iOS.
An app is in the foreground when the phone is unlocked and the app is open on the screen, according to the DTA. The background refers to when you switch from using the app to another app or when the phone is locked.
This technical limitation could affect the app’s ability to retrieve close contacts, and thus reduce its usefulness for the contact tracing process as Australia relaxes lockdown measures.
During testing, Glenn said her team found “mixed” performance on iPhones when the app was in the background – or running but not the app in sight.
Apple’s iOS typically prevents third-party apps from running in the background and broadcasting Bluetooth signals – a security rule that meant Singapore’s TraceTogether app, which COVIDSafe is modeled on, also performed better on an unlocked iPhone.
Apple and Google are developing their own approach to contact tracing, and the DTA has said it will determine whether this capability could “improve the performance of COVIDSafe.”
Open source engineer Geoffrey Huntley took a close look at the Android version of the COVIDSafe app.
He discovered an accessibility issue when people start entering their contact details into the app.
While trying to register, some people may see an error message suggesting that their cell phone number is not valid. In some cases, this can be fixed by turning off Wi-Fi and instead using the mobile network for the initial setup.
The app will also try to send a verification code via SMS. This process cannot take place over Wi-Fi if you are with mobile network operators like Telstra that do not allow Wi-Fi SMS, as Gizmodo also reported.
This means that the app is not easily accessible by those who do not have reliable mobile reception – in rural areas, for example.
“If the government is trying to get people involved… that’s a great [issue] which has been open for four days now, “Mr Huntley said.” This needs to be resolved. “
A Telstra spokesperson said it plans to introduce SMS over Wi-Fi capability into the network and will work with the government “on alternative methods for the COVIDSafe app to send an authentication code. “.
While investigating the issue, the DTA advised affected users to register with the app over the mobile network the next time they are in a coverage area. “It could be when they are going to town to buy groceries or supplies,” a spokesperson said.
There are also barriers for those coming from abroad or who can use numbers and devices purchased in other countries.
The app only allows numbers with a country code +61 to be registered. Likewise, Android and iOS apps can only be downloaded from their respective app stores with an Australian account, meaning tourists and immigrant workers may not be able to use the app. .
“It’s not as easy as switching between different stores,” Mr. Huntley said. “You can’t do that unless you cancel all your subscriptions on your UK account, like Spotify… that’s a major hurdle.”
A spokesperson for the DTA said he was aware of the problem. “We are exploring options to ensure that as many Australians as possible can download and use COVIDSafe,” he said.
The app is also not available on smartphones with older operating systems due to security and Bluetooth limitations, according to the DTA. For Android, you need Android 6.0 or higher. For iOS, you need iOS 10 or higher.
How to report a bug
As software engineers look into COVIDSafe, the government has not released a way to have software bugs and vulnerabilities they find reported and fixed – a common practice in the tech industry.
“I would love if there was a simple reporting mechanism … and a formal bug bounty program would be very wise,” said Glenn, referring to the process by which companies pay those who identify serious vulnerabilities in their business. software.
Mr Huntley also tried to report the bugs he found to the government. “I couldn’t find direct engineer-to-engineer contact,” he said.
The DTA now states that bugs can be reported through the app’s “Report a Problem” feature or by sending an email to email@example.com.
Public understanding of how the app works also evolves as the app is examined more closely.
While initial reports and government explanations for the app suggested that it was only collecting IDs from phones with COVIDSafe within a 1.5 meter radius for more than 15 minutes, it actually collects IDs from all phones. within Bluetooth range – a practice that some have called “excessive”.
If you are diagnosed with COVID-19 and consent to it, that data will be shared with a central server and then “interpreted by an algorithm to provide state health authorities with information only on close contacts.”
As the ABC previously reported, the app also collects the model of phones it has encountered.
“Because mobile phone device models are different in terms of Bluetooth power and operation, all contacts within Bluetooth range are noted on the user’s device,” a DTA spokesperson said.
“Phone model data is not used for the contact tracing process.”
Ask us your questions about the coronavirus