A few notables updates have occurred since the release of IDAC’s original report on COVID-19 mobile apps. Our team has since briefed developers, government officials, and journalists on our investigatory findings, with the goal of raising the bar for privacy and security for COVID-19 apps. The following are updates to some apps that our report covered.
Kinsa for Wireless Smart Thermometers (International/Private)
According to the Washington Post, who published an article citing our report on June 22, Kinsa’s app will no longer send the Android ID, a persistent unique identifier, to Branch.io, a third-party analytics and mobile growth company. Kinsa informed the Washington Post they were “previously unaware that Branch was receiving data that could be used for targeted advertising and disallowed access for Android phones last week following IDAC’s report.”
COVID-19 Tracker by Medinin (India/Private)
patientMpower for COVID-19 (Ireland/Private) and patientMpower for COVID-19 USA (USA/Private)
IDAC had the opportunity to speak with patientMpower and learned that we miscategorized their apps as symptom checkers, when they are a telehealth apps. Users are unable to download the app unless they are enrolled by their healthcare provider. We learned that although patientMpower notified the Irish Data Protection Commissioner of their use of Urbanairship’s SDK, they plan to retire its use. Further, patientMpower clarified that their apps use analytics SDKs for the necessary purposes of monitoring patient blood oxygen levels and sending push notifications to alert patients when there are changes to their blood oxygen levels.
On June 15, the Norwegian Institute of Public Health Following suspended Norway’s contact tracing app, Smittestopp, for concerns around collection geolocation data and it’s use of the centralized app architecture. The app, however, is still available to download in the Google Play Store.
Bolivia Segura (Bolivia/Gov)
NICD COVID-19 Case Investigation (South Africa/Gov)
Cova Punjab (India/Gov)
We flagged the Indian-owned Cova Punjab app for its collection of persistent identifiers such as the IMEI and service set identifiers (SSID), which could be used to track users over time. At the time of our report’s release this app was in the process of being retired and it is currently no longer available in the Google Play Store. However, a newer version of this app, COVA Punjab, is available to download and our team did not observe this newer app collecting persistent identifiers.
 https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/06/22/the-cybersecurity-202-privacy-experts-say-many-coronavirus-apps-aren-t-doing-enough-to-safeguard-users information/5eefae20602ff12947e91075/
 The newer version of the app, COVA Punjab, which replaced Cova Punjab, is available to download in the Google Play Store. https://play.google.com/store/apps/details?id=in.gov.punjab.cova