Developing a COVID-19 track and trace app — through the AppSec lens

By: Ian Hall, Asia-Pacific Client Services Manager at Synopsys

The unprecedented spread of COVID-19 has the world scrambling to navigate a new normal. The World Health Organisation (WHO) has underscored the importance of identifying COVID-19 cases and isolating them before they spread. Testing and tracing is vital to this effort, and all individuals in contact with an infected individual must be identified to mitigate further spread of the virus.

Mobile application technology offers a powerful solution to facilitate the collection of data about user movements and points of contact. To defeat COVID-19 there must be a robust and effective track and trace app that can reliably provide the data needed to stop the spread. But there are numerous complications of such an undertaking, and they all must be considered throughout the development process.

In a recent interactive COVID-19 webinar, Synopsys security consultants, Ian Ashworth and Bhavin Shah, discussed the principal considerations and challenges associated with creating a track and trace app. Here we will look into some of the key takeaways from that session so that would-be track and trace app creators can be better prepared.

Application security is vital

The goal of a track and trace app is to quickly identify contacts of positive COVID-19 case to be able to isolate them and potentially stop the spread of the virus. This will undoubtedly require personal data to be stored within the app and due to this, the importance of application security cannot be overstated. 

Application security did seem to take a back seat in the preliminary wave of track and trace apps evident from the numerous reports that have already emerged noting privacy failures, potential hacking events, and development U-turns. Some of the difficulties faced by Australia’s COVIDSafe (which was initially based on Singapore’s TraceTogether / BlueTrace) are documented.

User adoption is a challenge

Perhaps the most pressing challenge of a successful track and trace application is user adoption. Personal data concerns, motivations for use, and overall security doubts pose a challenge — and that’s before an application even enters the development phase. An Oxford University Study found that 60% adoption was key to completely stopping the virus.

Within the study, Oxford University Professor Christophe Fraser states, “Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths.

Although a goal of 60% adoption is lofty – even lower levels of adoption are still beneficial. Having said that, it is also clear that any significant level of user adoption will not be possible without adequately addressing security concerns and demonstrating robust security measures. The ingredients of a secure design that will promote user adoption are:

• Hardware: The app must run on hardware dedicated to the cause or utilise the plethora of already available mobile devices. There are however challenges with utilising mobile devices as power management may lead to background apps being shut down.
• Identity: The user and those around the user must be represented anonymously and securely. Failure to secure identity will negatively impact adoption.
• Proximity: The app must be able to identify encounters with other phone users – both distance and duration of encounters are important. Again, security concerns must be addressed with this functionality.
• Communication: Data must be shared and processed securely.
• Motivations: Users need to trust the app to use it. Without user confidence, the motivation to download it will be slim.

Keys to a successful and secure application

On top of Australia’s COVIDSafe and Singapore’s TraceTogether which have already been mentioned, Korea has also launched Corona 100m (Co100). Looking at these apps, their initial shortcomings and combining that knowledge with existing application security best practices is a starting point for those looking to develop their own track and trace apps:

• Good design removes 50% of your security worries. Incorporate security activities into your design phase to prevent costly vulnerabilities later in the SDLC.
• Document and be totally transparent — user trust is paramount. Openness will go a long way in encouraging application adoption. Both TraceTogether and COVIDSafe were open sourced by their developers in order to promote transparency.
• Carefully select your open source components. Use adequate security and testing measures when selecting open source code to avoid vulnerabilities and legal complications. Knowing what risks might be hidden in your code is imperative.
• Automate security testing during implementation. Using automated testing solutions and services protects you without slowing you down.
• Perform a final pen test on the deployed solution. Pen testing services help identify vulnerabilities that more traditional testing solutions may miss.
• Review your deployment and patch your app. Final checks for security with a robust suite of AppSec tools helps guarantee application security.

Final thoughts

The complexity of building a track and trace app, getting it right the first time, and ensuring that it’s fully operational is a daunting task. Add the pressures of needing such an application yesterday, and it is not surprising that security considerations have taken a back seat in some of the initial iterations of COVID-19 apps. But there are an enormous number of moving parts to a successful application, and that means a large attack surface. Security must be your utmost priority.

Development teams should be building security into their entire SDLC. Rather than thinking of security as a final testing gate at the end of production, security should be viewed as a methodology: applied early, from design all the way through implementation and deployment.

Security and risk should be carefully managed in this undertaking; failure, data breaches, and loss of trust/reputation can all quickly prevent progress. Investing in automation tools from a trusted leader in the AppSec environment could make the difference between success and disaster.