Laughable security flaws identified in NHS contact tracing app
What you need to know
- Security experts have exposed laughable flaws in the NHS' contact tracing app.
- Source code analysis revealed seven holes.
- Staggeringly, the random ID code used to protect user privacy only changes once every 24 hours, and the beta for the app was published before encryption was finished.
A security report based on source code analysis of the NHS' contact tracing app has revealed several serious security flaws in the software.
As reported by Business Insider:
The report in question comes from State of It, and two cybersecurity experts based in Australia. To the app's credit, the report notes that the UK's effort has better mitigation than Singapore and Australia's app, however, they remain unconvinced that "the perceived benefits of centralized tracing outweigh its risks."
As summarized by Business Insider:
Not only that, but staggeringly, the rotating random ID code which is used to protect users' privacy only changes once a day. By comparison, Apple and Google's API does this every 10-20 minutes.
In a further, perhaps even more shocking revelation, the National Cyber Security Centre published a response to report, noting the following on encryption:
"Just couldn't be done in time for the beta." Rather than delay the release of the beta so that they could, you know, encrypt the data, NHSX just pushed the app out anyway. Great work everyone.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
The report states in conclusion:
There are admirable parts of the implementation and once the already mentioned changes and updates are made, many of the concerns raised in this report will have been addressed. However, there remains some concern as to how privacy and utility are being balanced. The long-lived BroadcastValues, and detailed interaction records, remain a concern. Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.