Apple-Google co-developed Corona Contact API, bug in Android

When Apple and Google jointly announced the Corona 19 Rich Contact Notification API, they promised that the collected information will not be able to leave the terminal unless the user directly shares it, and personal information will be completely preserved. However, in the case of Android devices, a flaw that could potentially leak confidential data was discovered, but there are reports that Google did not respond immediately.

According to The Markup, a non-profit organization that deals with the impact of technology on society, the problem is that confidential information recorded in system logs can be read by other pre-installed apps. In other words, information could be sent to the corporate server that developed the application program.

In the case of the Corona 19 contact notification app, the system log may contain data on whether or not the person has been in contact with the person who tested positive, as well as the terminal name, MAC address, and other app advertisement identifiers. It is reported that more than 400 apps pre-installed on smartphones such as Samsung Electronics, Motorola, and Huawei have been found to have permission to read this system log for crash reports or analysis purposes.

AppCensus, a personal information analysis company that discovered this flaw, said it did not look at it at the time, even though it warned Google in February of this year. The App Census reported that it tested as part of a contract with the US Department of Homeland Security, but that there were no similar problems with the iPhone framework.

According to a statement emailed by Google to Markup, it had begun distributing the fix as soon as it received reports of a problem that the Bluetooth identifier could temporarily access in certain system-level applications for debugging purposes. It added that the update to the Android device started a few weeks ago in roll format and is expected to be completed in a few days.

Google also replied that the potentially leaked Bluetooth identifier does not contain user location information and other identifying information, and that there is no evidence of any abuse. Related information can be found here.