How trustworthy are COVIDWISE and other COVID-19 contact tracing apps?

Virginia Tech-led team investigated the potential risks of these apps

Screenshot of the COVIDWISE app (Virginia Department of Health)

BLACKSBURG, Va. – Smartphone apps track lots of data to provide users with an optimal experience.

During the COVID-19 pandemic, contact tracing apps in particular have gained massive amounts of traction as a way to monitor potential new cases.

The concern of some; however, is wondering how trustworthy these tracing apps are in securing private information.

A Virginia-based team set out to investigate and debunk these rumored risks.

“I understand the confusion and fear surrounding contact tracing,” said Dafeng Yao, Virginia Tech computer science professor. “Because the most straightforward way to do this would be to collect user information and send it to some central authority for analysis. But the actual technology is a lot smarter.”

Yao, alongside five other researchers, focused their study on the Virginia Department of Health’s COVIDWISE app.

[Virginia’s coronavirus tracking app reaches one million downloads]

They began by testing the app, on both Apple and Android devices, through a series of real-world scenarios.

While moving from situations with the least risk factors to most, the team was able to evaluate user privacy risk at each threat level.

The findings were as follows:

  • In the first four scenarios, which covered people’s everyday experiences like passing someone on a sidewalk, there were no privacy leaks found.
  • In the final two scenarios, there were privacy risks, but several security mechanisms would need to be bypassed for a successful attack.
  • No central server is keeping track of who is talking to whom

“There are easier ways to profile someone’s movements,” said Yao. “You can just hire spies!”

With the continued appearances of new COVID-19 variants, the adoption of contact tracing apps on a wider scale could prove to be useful in mitigating the spread, according to the team.

This study, which was supported by the Commonwealth Cyber Initiative, is set to be published by the IEEE Computer Society in February.