Days after IDAC released its COVID-19 app investigative report, the privately-owned Indian app, COVID-19 Tracker by Medinin, became unavailable to download on the Google Play Store.
In our investigation, our team identified three major areas of concern with regards to this contact tracing app, and are pleased that the app is no longer available for users to download.
The issues our investigations team raised included that 1) the app used a template privacy policy that mirrored another app’s privacy policy, 2) the app communicated unsecurely to an application programming interface (API) and obtained a full list of users’ COVID-19 symptom reports and location data, and 3) the app collected the device IMEI, which is a non resettable unique identifier that could potentially be used to persistently track users.
The culmination of these findings raised real privacy and security concerns for our team.
We hope that other COVID-19 app developers use this example as a teaching moment to raise the bar on privacy and security practices with their own apps. Our team is available to provide insight and guidance for any app developers.