I was lucky enough to be part of a Portuguese working group that is actively reviewing and discussing the security and privacy implications of a future contact tracing app in Portugal. In particular, with regard to the protection of these applications against possible threats. We have seen some countries take different approaches (centralized, decentralized) and use different technologies to build these apps (both native technologies and web technologies like JavaScript).
About the Author Pedro Fortuna is the co-founder and CTO of Jscrambler.
Most discussions of contact tracing apps center around the topic of privacy, so one of my roles has been to shed light on underlying security issues that can make tracking apps easier to deal with. contacts and potentially breach confidentiality on a large scale. . As many countries around the world are developing and releasing contact tracing apps, now is a good time to discuss the differences between these apps and highlight relevant security issues. Let's take a closer look.
Regarding COVID-19 apps, there are 2 types of apps that manage sensitive data: symptom tracking and contact tracing. Contact tracing is the more controversial of the two due to people's fear of being watched. Non-digital contact tracing has been around for a long time. Once a person has been infected, health officials interview them to find out who they have been in contact with recently.
They ask for the contact details of people who have had contacts and also question them. This makes it possible to track the contagion and isolate the required people. But the main problem is that this is one-off: people are often interviewed too late in the game and don't remember everyone they've been in contact with. Also, the respondent may not have your contact details. Another problem is that people are only isolated when they have symptoms.
Digital contact tracing aims to develop this point and solve some of these limitations. Most contact tracing apps are based on Bluetooth Low Energy (BLE). Each application instance broadcasts short-range tags; so when people are on the move, their devices pick up other people's beacons. Each tag has a unique ephemeral anonymous identifier. Viewed ephemeral identifiers are stored locally on the device. When a person is diagnosed, they receive an official code from the health authorities, and by entering this code in the application, this person is officially and voluntarily registered with the infection status.
A list of your own ephemeral identifiers used in the last 14 days will then be sent to a central server; all other devices periodically download the list of infected person identifiers and then locally determine if they have been in contact with them recently. For positive contacts, the app calculates the risk of infection taking into account the estimated proximity and the duration of the contact.
Exposed code and reverse engineering
Due to the fact that they handle highly sensitive data, contact tracing apps must offer strong security and be subject to independent security audits. To this end, these apps should follow the general recommendations of the OWASP Mobile Security Testing Guide, in particular the use of code signing to reduce the risk of publishing a counterfeit version of the app, as well as certificate pinning. , to reduce management risk. attacks in the middle (MITM). Additional security threats to be aware of are available here.
In particular, the risk posed by the exposed code should be noted here. As OWASP notes, this is where an attacker can directly modify the code, dynamically change the contents of memory, change or replace the system APIs that the application uses, or modify the application's data and resources. This can later provide the attacker with a direct method to divert the intended use of the software for personal or monetary gain. The impact of modifying the code can be of a very varied nature, depending on the nature of the modification itself. But it is particularly relevant in decentralized contact tracing applications where sensitive data and algorithms remain local.
OWASP also highlights the risk of attackers reverse engineering source code as a gateway for more advanced attacks. In this way, an attacker can exploit reverse engineering to achieve one of the following objectives: reveal information on hosts, reveal cryptographic constants and figures, steal intellectual property, carry out attacks against hosts, or obtain the information necessary to perform a later code change.
Framing this in contact tracing apps, these two security risks (exposed code and reverse engineering) need to be addressed to close this security gap. This problem is particularly important in JavaScript-based applications, where, by default, the source code is not compiled and is therefore fully exposed, making tampering and reverse engineering much easier.
Currently, there are dozens of different contact tracing apps in development or published. We can see that several of them are developed using JavaScript-based frameworks like React Native and Ionic, namely the Israeli official app Hamagen, Germany-based ito, and Canada-based COVID Shield (which are all based on the framework). React Native) and the Swiss WeTrace which is built with the Ionic framework.
As a result, it is essential that these applications protect their JavaScript source code from the attacks described above, with a particular focus on protecting against data exfiltration attacks that can be obtained by tampering with code or by inspecting memory. To this end, OWASP advises that the mobile application should be able to detect at run time that code has been added or changed, and that the application should be able to respond appropriately at run time. 'execution to a code integrity violation and should be protected against memory tampering or scratching. They then state that to prevent effective reverse engineering, a code protection tool should be used.
The teams behind these projects face the great challenge of delivering these very complex applications in record time. It is essential that you consider these security threats during the development phase. This need to protect source code in mobile apps should not be overlooked with such high stakes.