The Android version of the Google and Apple COVID-19 contact exposure notification app had a bug that allowed other pre-installed apps see that private data.
It even allowed to know if a contact had been with a person who had tested positive for COVID-19. This security hole has been published today by the AppCensus firm.
Google has already launched a solution to the COVID-19 app
The guys from Mountain View have been quick to respond and are already deploying a solution to this bug. The immediacy and rush to fix it is due to the promise given firm by Sundar Pichai, CEO of Google, and Tim Cook, CEO of Apple.
The two promised that the data collected by the notification app in the event of a COVID-19 exposure would never be shared off-device of the user.
In fact AppCensus notified Google of the existence of this vulnerability to Google in February, but could not correct it in time. A solution that seems to have to do with the deletion of a few lines of code without much importance.
José Castañeda, Google spokesman, mentions that were notified of a problem with Bluetooth identifiers that were temporarily accessing specific system levels. It would not be the first time that similar problems have been found in this app as happened at the beginning of the year.
In Android the problem lies in that pre-installed apps can access those specific system levels, which gave them the opportunity to see that human tracking data in the app created by Google and Apple.
Since the signing, it has been communicated that there is no indication that these apps would have obtained any of that data. Regarding the iPhone, AppCensus would not have found any similar vulnerability.
The entry Problems with COVID-19 apps on Android: they exposed data to other apps appears first in The Free Android.