A few notables updates have occurred since the release of IDAC’s original report on COVID-19 mobile apps. Our team has since briefed developers, government officials, and journalists on our investigatory findings, with the goal of raising the bar for privacy and security for COVID-19 apps. The following are updates to some apps that our report covered.
Kinsa for Wireless Smart Thermometers (International/Private)
According to the Washington Post, who published an article citing our report on June 22, Kinsa’s app will no longer send the Android ID, a persistent unique identifier, to Branch.io, a third-party analytics and mobile growth company. Kinsa informed the Washington Post they were “previously unaware that Branch was receiving data that could be used for targeted advertising and disallowed access for Android phones last week following IDAC’s report.”[1]
COVID-19 Tracker by Medinin (India/Private)
The Indian contact tracing app, COVID-19 Tracker by Medinin, is no longer available to download in the Google Play Store. We identified major areas of concern with regards to this app, including that it (1) copied another app’s privacy policy, (2) sent unencrypted transmissions to an API and obtained users’ COVID-19 symptom reports and location data, and (3) collected the device IMEI, a non-resettable unique identifier that should have not been collected. The public API that contained users’ data is also no longer available either. These findings raised serious privacy and security concerns for our team and we are pleased that the app is no longer available for users to download.
patientMpower for COVID-19 (Ireland/Private) and patientMpower for COVID-19 USA (USA/Private)
IDAC had the opportunity to speak with patientMpower and learned that we miscategorized their apps as symptom checkers, when they are a telehealth apps. Users are unable to download the app unless they are enrolled by their healthcare provider. We learned that although patientMpower notified the Irish Data Protection Commissioner of their use of Urbanairship’s SDK, they plan to retire its use. Further, patientMpower clarified that their apps use analytics SDKs for the necessary purposes of monitoring patient blood oxygen levels and sending push notifications to alert patients when there are changes to their blood oxygen levels.
Smittestopp (Norway/Gov)
On June 15, the Norwegian Institute of Public Health Following suspended Norway’s contact tracing app, Smittestopp, for concerns around collection geolocation data and it’s use of the centralized app architecture.[2] The app, however, is still available to download in the Google Play Store.
Bolivia Segura (Bolivia/Gov)
At the time of the report’s release, this app did not have a privacy policy posted in the Google Play Store, in violation of Google’s Developer Policies. We notified them and they have since posted a privacy policy.
NICD COVID-19 Case Investigation (South Africa/Gov)
Our report drew attention to this app’s lack of a privacy policy. The app is no longer is available in the Google Play Store.
Cova Punjab (India/Gov)
We flagged the Indian-owned Cova Punjab app for its collection of persistent identifiers such as the IMEI and service set identifiers (SSID), which could be used to track users over time. At the time of our report’s release this app was in the process of being retired and it is currently no longer available in the Google Play Store. However, a newer version of this app, COVA Punjab[3], is available to download and our team did not observe this newer app collecting persistent identifiers.
[1] https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/06/22/the-cybersecurity-202-privacy-experts-say-many-coronavirus-apps-aren-t-doing-enough-to-safeguard-users information/5eefae20602ff12947e91075/
[2] https://techcrunch.com/2020/06/15/norway-pulls-its-coronavirus-contacts-tracing-app-after-privacy-watchdogs-warning/
[3] The newer version of the app, COVA Punjab, which replaced Cova Punjab, is available to download in the Google Play Store. https://play.google.com/store/apps/details?id=in.gov.punjab.cova