Published
28 September 2022
  • Journal article

Checking Contact Tracing App Implementations with Bespoke Static Analysis

Authors
Flood, Robert 
Chan, Sheung Chi
Chen, Wei
Aspinall, David
Source
SN Computer Science

Abstract

In the wake of the COVID-19 pandemic, contact tracing apps have been developed based on digital contact tracing frameworks. These allow developers to build privacy-conscious apps that detect whether an infected individual is in close proximity with others. Given the urgency of the problem, these apps have been developed at an accelerated rate with a brief testing period. Such quick development may have led to mistakes in the apps' implementations, resulting in problems with their functionality, privacy and security. To mitigate these concerns, we develop and apply a methodology for evaluating the functionality, privacy and security of Android apps using the Google/Apple Exposure Notification API. This is a three-pronged approach consisting of a manual analysis, general static analysis and a bespoke static analysis, using a tool we have developed, dubbed MonSTER. As a result, we have found that, although most apps met the basic standards outlined by Google/Apple, there are issues with the functionality of some of these apps that could impact user safety.

Rights

This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Cite as

Flood, R., Chan, S., Chen, W. & Aspinall, D. 2022, 'Checking Contact Tracing App Implementations with Bespoke Static Analysis', SN Computer Science, 3, article no: 496. https://doi.org/10.1007/s42979-022-01357-w

Downloadable citations

Download HTML citationHTML Download BIB citationBIB Download RIS citationRIS
Topics
Coronavirus (COVID-19) Digital health and technology
Keywords
COVID-19 Contact tracing Digital health Technology
Funder
Office of Naval Research
The Alan Turing Institute
Publisher
Springer Nature
Source repository
Heriot-Watt University
Last updated: 20 October 2022
Was this page helpful?