REPORT COVID APPS SECURITY BENCHMARK

Corona Warning App In its first year, the German Corona app experienced a turbulent ­history, but also received many functional improvements.

The Corona warning app has been avail­ ­effectiveness of the contact tracing and an able in Germany since June 2020. After improved accuracy of the risk assessment. long discussions during preparations, the Still, the criticism of its limited usefulness consortium of Deutsche Telekom and SAP, led to the app continually adding more fea­ with the support of the Robert Koch Insti­ tures: Since late 2020 (version 1.10), it tute (RKI), had the app up and running in offers a contact diary in which, for example, a fairly short time. In the first five days, it ­meetings among family and friends can reached almost 11 million users, but then be registered. Since March 2021 (version the enthusiasm stagnated. Today, the app 1.13), voluntary data donations for scientific counts around 28 million users. With a­ research have been possible, and in ­April ­penetration of around 34 percent of the (version 2.0), event registration was added. ­population, Germany leads the field in our This allows organizers to generate a QR comparison of countries. However, even code for their events in the app and publish this figure is still a long way from the 60 to it, for example, on a poster. Participants can 70 percent that experts demand for maxi­ then scan it via the app. With the latter mum effectiveness of contact warnings. ­function, the providers also responded to For distance detection via Bluetooth LE, alternative but now controversially dis­ the app uses the “Exposure Notification cussed advances such as the „Luca“ app. Framework“ built by Google and Apple into Since May (version 2.1), the results of rapid High warning threshold: Most users their mobile operating systems; since the tests can be noted in the app. For some see a „low risk“. Vice versa, this means that warnings issued by the end of 2020, it has been using its more ­rapid test sites, identification is now also app should be taken seriously. ­precisely working version 2.0. In principle, possible via a test profile stored in the app. the app runs on iPhone 5s and iOS version And by the end of June, the digital vaccina­ ANTI VIRUS APPS REPORT 12.5 or higher, on Android version 6 or higher tion certificate currently under development About a year after the launch of the Corona warning app in Germany, now is a good time – although Android smartphones require a is planned to be integrated. However, critics to review these apps both in Germany and abroad. Our valued and trusted partner for app special supplementary update. Since the point out that such additional functions are REPORT end of 2020, the app can also be used on also available via other apps. security tests, umlaut, has paid particular attention to possible weaknesses in the apps. Huawei devices despite the lack of “Google In connect 9/2020, we already tested the Services“ thanks to a group of free deve­ security of the then current versions 1.0.4 lopers. Downloading the app is possible via (Android) and 1.0.2 (iOS) together with t the beginning, hopes ­ a closer look at exactly these ­perform well in this respect, the alternative app store, „F Droid.“ ­umlaut and were able to certify top results were still high: digital tech- ­aspects. ­Germany is ahead – in terms of per- The trigger level of the warnings can be for the Corona warning app: 976 points nology and clever software formance and also regarding app ­adjusted on the server side. After messages (“outstanding“) for the iOS version, 932 were supposed to play a German app gets a lot right distribution. But read for yourself. about a possibly increased risk often left points (“very good“) for the Android variant. A users perplexed, the programmers raised In the comparison at hand, we restrict central role in containing the As is inevitable with the topic of Hannes Rügheimer this threshold. Now, however, there is once ­ourselves to the version for the more wide­ Covid 19 pandemic. But it soon Covid-19, the discussion about the again criticism that the app warns inconsis­ spread and less “bulkheaded“ Android. ­became clear that the reach of Corona warning apps is very­ emo­ tently. Even though the warning function The version 2.0.4 examined by umlaut ­Corona warning apps is barely tional. It is often said in Germany makes an important contribution to asses­ could increase its result to 940 points – its ­sufficient for digital alerts to reach that our strong focus on data protec- sing the risk of infection, its analyses are still developers obviously considered some of their full potential – in Germany­ tion hinders the effi­ciency of the only reliable to a limited extent due to the the suggestions for improvements identified and beyond. warning app and that other coun- insufficient ­penetration. In view of the fre­ in our first test. Thus, the app now achieves quent exten­sions of Corona restrictions, the full score in the data security category. Still, even with limited population tries have found better compromi- „We can certify the Corona warning this led to increasing criticism of the app – The security of data traffic remained un­ ­penetration, the warning apps can ses on this issue. In order to enable the ardously negotiated decentralized sto­ changed and still offers minor possibilities apps to offer a good or partly even help protect their users and break a factual examination of this thesis, rage principle is accused of favoring data for optimization. The testers identified chains of infection. Nevertheless, umlaut examined not only the cur- very good level of security and protection too one-sidedly. It should be noted, ­somewhat greater potential for improve­ data ­protection. App providers from the goal is that these apps should be rent status of the ­German warning however, that while the theoretical alterna­ ment in integrity protection (the “Imperso­ many countries achieve convincing much more effective. app but also its equivalents in seve- tive of centralized data storage would better nation attacks“ category). Here the solu­ results. Still, German app users allow ana­lyses of the infection incidences tions from Australia and South Africa rank Even when leaving fundamental ral other countries. The surprising can rely on the best security by the RKI and other government agencies, slightly better. The source code security skeptics aside, many potential users result: although­ the Covid apps Event Manager: Since April 2021, the rating in our comparison.“ it would hardly have contributed to a wider of the open source project is again at the still seem to distrust the security and from ­Australia, the UK and the penetration of the app. Yet this alone would top of the test field, but still offers minor app has included registration functions for physical meetings – supporting both be a leverage that could enable greater ­starting points for optimization. ­data protection of the warning apps. USA also do a very good job in organizers­ and participants. Hakan Ekmen, For connect and umlaut, this terms of safety, and those from CEO Telecommunication at umlaut Verdict: very good (940 Points) Photo: blvdone/shutterstock.com Photo: ­pro­vided all the more ­reason to take ­South Africa and Canada still

82 7/2021 connect.de 7/2021 83 REPORT COVID APPS SECURITY BENCHMARK

NHS Covid 19 App Covid Alert NY After an app with centralized data storage first appeared in May 2020, Because a U.S.-wide app was hardly feasible, New York developed its the NHS switched to a privacy-friendly version following strong criticism. own solution. But acceptance remains low despite very good security.

Initially, the British National Health Service test can also be booked directly via the app; As it is difficult to balance all 50 U.S. This is because distance detection and (NHS) focused on an app with its own con­ the user then decides whether the result ­states, the state of New York developed ­notificationa are based on the “Exposure tact tracing technology and centralized data should be uploaded anonymously. If a its own Corona app. The bordering states Notification Framework“ from Apple and storage. But after massive criticism, it later ­quarantine is imposed, the app counts of New Jersey, Delaware and Pennsylvania Google. The functionalities beyond that switched to the Apple/Google Exposure down the remaining days. Users can also were included to accommodate commuters are moderate. Even positive test results ­Notification Framework and its decentra­ check in at stores or events where the NHS between those states. NearForm Inc. was ­cannot be uploaded directly; this is the lized storage approach. However, the has put up a poster with a corresponding contracted to develop the application; the ­responsibility of a health authority ­re­sulting delay meant that the current app QR code. State University of New York (SUNY), employee. could not be launched until September The now privacy-friendly version, which in ­Columbia University, Cornell Tech and the In any case, security concerns should 2020. On the very first day, it recorded the UK is also known as the “Phase II Covid Massachusetts Institute of Technology (MIT) not deter potential users from installing 6 ­million downloads. Today, the app has App“, receives an overall very good security were involved as advisers. the app, because the assessment of reached around 22 million users and thus rating from umlaut. In terms of personal data Released in October 2020, the app had “Covid Alert New York“ by the security ex­ a similar penetration of the population as protection, it ranks in the midfield of our 500,000 downloads after about a month perts of umlaut also resulted a very good in Germany. NHS Covid 19 can be used in comparison with slight potential for improve­ and now count roughly 1.1 million users – a overall score. However, there is definitely England and Wales – Scotland and Nort­ ment. Traffic protection is at the same high rather poor penetration when measured room for improvement – only slightly in the hern Ireland had had their own Corona level as the apps from Germany, Australia against about 20 million residents in New protection of personal data and the pro­ apps developed. and the USA. There is somewhat more York State alone. tection of data traffic, somewhat more The app comes up with clever details: ­potential for optimization in integrity pro­ The New York Department of Health there­ pronounced in the protection against loss After entering the first digits of the postcode, tection (measures against Impersonal At­ Smart details: The second British Covid fore points out that smartphone users of integrity and expansion of rights (Im­ Moderate scope of functions: it provides an overview of the Corona tacks), and there is also some room for app gets a lot of things right and con­ ­benefit from the warnings even if they have personation attacks), and above all in Besides the contact notification built ­restrictions currently in force in the user‘s ­improvement in the protection of the app‘s vinces with well thought-out and practi­ not installed the app at all – but activate the the protection of the source code of the into iOS and Android, there is only a home region. An appointment for a Corona open source code . cal additional functions. contact tracing option in iOS or Android. open source app. ­private symptom log.

Verdict: very good (896 Points) Verdict: very good (876 Points) REPORT REPORT Covid Alert South Africa Covid Alert Canada There is little to criticize about the security of the South African With Blackberry and Shopify, big names are involved in the development ­Covid app – nevertheless, it did not achieve a high penetration. of Canada‘s Covid app. Nevertheless, there is a lot of discussion about it.

The South African Department of Health expensive smartphone with Bluetooth and Canada drew on a great deal of national same system requirements as the apps from released its Corona app in early September an up-to-date operating system. In addition, technology expertise to develop its Corona Germany, the UK, the US or South Africa. 2020. By the end of the launch month, it the comparatively low testing capacities in app: Blackberry as well as e-commerce Positive Covid 19 diagnoses are confirmed had around 500,000 users. Currently, the South Africa are often cited as another specialist Shopify were involved. via a one-time code and uploaded anony­ ministry extrapolates just over one million ­explanation for the app‘s low penetration, The app was launched at the end of July mously on a voluntary basis. Probably also installations – which is only a fraction of which calls is usefulness into question to 2020; by September it had 3 million users in view of the intense discussions in the the original target of 10 million. The app is ­some extent. and currently counts around 6.5 million ­run-up to and after the introduction of the not only available for download in the iOS And despite the virus mutation named after ­installations. Nevertheless, not all of the app, Covid Alert Canada limits itself to the and Android app stores, but also officially the country, the infection and death rates in comparatively autonomous Canadian basic function of contact alerts and does in Huawei‘s AppGallery. South Africa remained rather low compared ­provinces joined in: The province of Alberta without extensions such as event check-ins According to the test results determined by to other regions of the world. had already launched its own app in ad­ or a contact diary. connect and umlaut, there is no reason to The safety review by umlaut shows an vance, which was based on the tracing In the security assessments carried out by distrust the app: Data about encounters is ­overall good result. Covid Alert South Africa ­system developed in Singapore. British umlaut, Covid Alert Canada performs well stored decentrally on the smartphone, and reaches the full possible amount of point for C­olumbia raised concerns about data overall, but still comes in last in this overall the detection uses the Exposure Notification protection against loss of integrity and rights ­protection despite the app‘s decentralized comparison. The potential for improvement Framework from Apple and Google, which escalation (Impersonation Attacks). The architecture, and the provinces of Nunavut identified by umlaut in the categories of data is integrated in iOS and Android. The fact ­protection of the source code scores in the and Yukon also had some reservations. protection and data traffic security is rather may play a role that despite a high penetra­ good midfield. However, the South African Users in these regions can receive alerts but low. The security experts have somewhat tion of cell phones in South Africa (the latest app ranks at the bottom of our comparison Unjustly scorned: The functionality cannot upload positive test results. more to criticize in the areas of loss of Rudimentary for political reasons: available statistics from 2018 shows 1.67 in the protection of personal data and of the “Covid Alert South Africa“ app Covid Alert Canada also relies on the ­integrity and rights evaluation (Impersonation After extensive privacy discussions, cell phones per inhabitant), only the richer ­connection security – umlaut sees potential is moderate, but there are no major ­Exposure Notification Framework develo­ Attacks) as well as regarding the Code the Canadian app limits itself to its parts of the population can afford a relatively for improvement here. ­security flaws. ped by Apple and Google, and thus has the Practices of the open-source app. core function of contact tracing.

Verdict: good (848 Points) Verdict: good (816 Points) Photo: Lana2016/shutterstock.com

84 7/2021 connect.de 7/2021 85 REPORT COVID APPS SECURITY BENCHMARK In cooperation with Conclusion Methodology Hannes Rügheimer, connect author The security of the examined international Covid apps and their backend Covid Safe Australia ­connections was once again tested and evaluated by our trusted partner umlaut. A look all over the world proves it: The Australian government went its own and controversial way with Because the Covid warning apps can only IIn total, an app can score up to 1000 points in Once a Covid app has suffered ­a its Corona app. However, umlaut‘s security rating is very good. be used in their respective target regions, our security rating. We award the most points damage to its image due to data where they are usually offered without direct – a maximum of 332 – in the area of Data Pri- Only about 14 days after its initial an­ ­remained unclear for a while after launch protection problems or the centra­ competition, we have abstained from an edi­ vacy. In this category, we checked whether nouncement, the app commissioned by ­whether the use of the app could be dic­ lized data storage criticized by torial evaluation of aspects such as ­functional the apps store personal data, such as login the Australian Department of Health was tated by law. These fears have since been ­security experts, this is quickly at scope and ease of use. The ­security of the and user information, within the smartphone ­released in April 2020. It was developed dispelled by contrary legislation, but the the expense of a high level of pene­ apps, on the other hand, plays a central role ­memory providing sufficient protection. Traffic by a consortium around the companies app still has a damaged image. Discussions tration. This quickly has a negative – which is why our partner ­umlaut examined Protection, i.e. securing the data flow bet­ Delv Pty Ltd, Ionize Pty Ltd, Atlassian and are now underway in Australia whether it impact on the app‘s widespread this aspect with its proven test procedure for ween the app and the server contributes a ma­ others. After just 24 hours, one million might be better to develop a completely new use. Telekom and SAP have done a app security. As in the past for other app ca­ ximum of 200 points. Here, umlaut‘s experts Australian users had installed the app, alternative to Covid Safe. lot right regarding the German tegories, umlaut analyzed four areas in the checked whether the app uses current encryp­ after 48 hours two ­million and after two Despite the concerns that arose primarily ­warning app, and not only in terms Android versions of the ­Corona apps: Data tion methods­ and whether it transmits all data weeks four million. But after about a year from the centralized data storage, umlaut of data privacy. Nevertheless, there Privacy, Traffic protection including encrypti­ ­traffic securely. In addition, the app‘s correct now, the user base has stagnated at attests the app an overall very good security are still a few clever details that on, measures against Impersonation attacks handling of SSL certificates was examined as around seven million. level. Unsurprisingly, the testers identified could be copied from other coun­ such as loss of integrity and rights expansion, a part of the test. The Impersonation Attacks The Australian app uses BlueTrace, a Blue­ weaknesses in the protection of personal tries – for example, the postcode- as well as Secure Code practives – the secu­ category, which focuses on possible losses of tooth LE-based distance measurement data, but data traffic is at the same high based overview of currently valid rity measures around the app source code. data integrity is rated with a maximum of 268 ­method developed by the Singapore level as the solutions from Germany, the UK Corona restrictions from the UK. The examined attack scenarios are based on points. Here umlaut checks whether authori­ government. Thus, Covid Safe deliberately and the USA. Also, the experts found no umlaut‘s security tests also confirm the guidelines for secure programming of zation mechanisms of the apps can be circum­ does not rely on the Apple/Google Expo­sure shortcomings in the areas of Impersonation that the German Corona warning apps from the German Federal Office for In­ vented. It would also be critical if an app would Notification Framework. Attacks, and the app is also well ahead in app, which is often questioned at formation Security (Bundesamts für Sicher­ not have protection against cloning. Attackers However, since the app stores the data protecting its source code which was pub­ ­- home, stands up very well in an Much criticism down under: Centralized heit in der Informationstechnik, BSI) and the could then create an exact copy of the app, about encounters on centralized servers, lished as open source. In contrast to the ­international comparison with its data management and misunderstan­ Open Web Application Security Project extract all personal data and identify them­sel­ it was criticized by data protection advo­ pronounced criticism, Covid Safe Australia dings at launch time damaged the image strong focus on data protection. (OWASP). Many tests have been developed ves as users. Finally, Secure Code Practices cates right from the start. In addition, it achieves second place in our security rating. of the Covid Safe Australia app. Even if the hope is growing that by umlaut itself, and all results have been ve­ – the protection of the source code – contribute we will need its functionality in­ Verdict: very good (912 Points) rified by two engineers. As usual, we refrain another 200 points. Here, umlaut checked creasingly less: Anyone who is still REPORT from a detailed descrip­tion of the discovered whether components from third-party provi­ undecided should give the German vulnerabilities for security reasons, in order to ders were implemented securely and whether International Covid Warning Apps Corona warning app a chance in prevent possible criminal acts. the app stores important files properly disguised. Corona view of these results. REPORT App name Warning App Covid Safe NHS Covid 19 Covid Alert NY Covid Alert Covid Alert Country Germany Australia UK USA South Africa Canada Tested app version (Android) 2.0.4 2.5 4.7 1.1.4 1.4.1 1.2.4 Data Privacy Traffic Protection Available for Android/iOS Å/Å Å/Å Å/Å Å/Å Å/Å Å/Å Deutsche National Health Telekom, SAP, Delv Pty Ltd, Service, UK Dept. South African Shopify, Provider, Developer Robert-Koch- Australian Dept. of Health and NearForm Inc. Dept of Health Blackberry, Cana- Institut of Health Social Care dian Government Approx. number of users 28 Mio. 7 Mio. 22 Mio. 1,1 Mio. 1 Mio. 6,5 Mio. Total population of issuing country (Relation) 83 Mio. (34%) 25 Mio. (28%) 67 Mio. (33%) 20 M. (6%, Staat NY) 59 Mio. (2%) 38 Mio. (17%) EU, UK, States of New All can. Provinces York, New Jersey, except Alberta, Usable in ... Norway, Australia England, Wales Delaware, Penn- South Africa British Columbia, Switzerland sylvania Nunavut, Yukon Not only conceptually, but also in terms of the programming implementation, the Together with the apps from the UK, USA and Australia, the German app is also among Bluetooth LE, Bluetooth LE, Bluetooth LE, Bluetooth LE, Bluetooth LE, Contact Tracing uses which technology? Google/Apple Bluetooth LE Google/Apple Google/Apple Google/Apple Google/Apple German Corona warning app is ahead of the game when it comes to data privacy. the leaders in terms of traffic protection. Canada and South Africa fall slightly behind. Contact Tracing / Distance / min. Contact time Å/2 m/15 min Å/2 m/15 min Å/2 m/variabel Å/2 m/10 min Å/2 m/15 min Å/2 m/15 min Data storage decentralized centralized decentralized decentralized decentralized decentralized Impersonation Attacks Secure Code Practices Risk index/Report positive tests/Behavior recommend. Å/Å/Å Í/Í(via authority)Å Å/Å/Å Å/Í(via authority)Å Å/Å/Å Å/Å/Å Contact diary/Check-in for events or places Å/Å Í/Í Í/Å Í/Í Í/Í Í/Í Security max. Points Data Privacy max. 332 332 268 300 300 268 300 Traffic Protection max. 200 192 192 192 192 140 140 Impersonation Attacks max. 268 228 268 228 228 268 228 Secure Code Practices max. 200 188 184 176 156 172 148 The apps from Australia and South Africa lead in integrity protection. The rest of the Even though there is still minimal room for improvement, the German app leads in terms VERDICT SECURITY 940 912 896 876 848 816 test field, including the German Covid app, shows slight potential for improvement. of source code protection – ahead of the apps from Australia, the UK and South Africa. max. 1000 very good very good very good very good good good

BESTTESTSIEGER IN TEST 86 7/2021 connect.de 7/2021 87