Last week we had this:
COVIDSafe app encounter logging bug uncovered on iOS
By Justin Hendry on Jun 15, 2020 3:57PM
Devices unable to fetch temporary IDs when locked.
The government’s COVIDSafe contact tracing app has been found to contain a flaw that stops iPhones from retrieving temporary IDs when a device is locked, meaning Bluetooth encounters could be going unrecorded.
The major bug, which is limited to iOS devices and has affected the functionality of the app since it was first launched in late April, was disclosed by software developer Richard Nelson on Monday.
It goes to the very heart of COVIDSafe’s operation on iOS, with devices unable to fetch new temporary IDs from the national COVIDSafe data store every two hours when a device is locked.
“New TempIDs cannot be retrieved when a device is locked,” Nelson penned in an analysis of the JSON Web Token (JWT) and iOS Keychain access provided to the Digital Transformation Agency.
He said this resulted in a locked device “providing its TempID to devices which ask for it”, but “not being able to write to a peripheral its TempID” - or put more simply, a device recording others around it, but not being recorded by others.
“[A locked device] will record a device acting as central which writes to it. A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged,” he said.
Nelson gave the example of someone packing their bag for the day and assuming that the locked device would log encounters, even if Bluetooth encounter logging remains problematic, particularly between two iOS devices.
“One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted,” he said.
The cause of the bug relates to COVIDSafe’s use of KeychainSwift to store the JSON Web Token (JWT) used to fetch new temporary IDs from the server.
Nelson said the bug was found by observing debug logs and investigating errors.
“When setting a new TempID locally, COVIDSafe uses the default value for the KeychainSwiftAccessOptions parameter, which is AccessibleWhenUnlocked. This means the keychain item cannot be accessed when the device is locked,” he said.
“When a new TempID is needed, GetTempIdAPI tries to extract the JWT from the keychain in order to fetch a new TempID from the API. This fails when the device is locked, and so a TempID is unavailable.”
He said this could be fixed fairly simply by using “accessibleAfterFirstUnlock for KeychainSwiftAccessOptions when storing the JWT with KeychainSwift”.
Nelson told iTnews the fact the bug had not been found and fixed in the two months since the app went live “just seems so poor”, particularly with people now moving about in greater numbers.
More here:
https://www.itnews.com.au/news/covidsafe-app-encounter-logging-bug-uncovered-on-ios-549270
Also here:
Opinion: COVIDFail. The IT debacle that could cost lives
Friday June 19, 2020
Another spate of COVID-19 cases being reported in Victoria. China re-instating restrictions as it sees infections return. Our chief medical officer says his greatest fear is a second wave, and there’s the likelihood the coronavirus will linger around forever like the flu. Another IT debacle from the federal government. But this one is different. In this case we could see people die. We need a tracing app that actually works.
It’s worth noting that Victoria is the only state known to have actually used the COVIDSafe app. More than 20 people who’ve tested positive have allowed its health department to download their data yet this hasn’t identified anyone they didn’t already know about through existing manual contact tracing methods. Presumably the app missed numerous people with whom they must have come into contact.
Millions of Australians are out and about in the false belief that having downloaded the app they are somehow safer, because that’s what the government told them. It’s still running TV commercials telling people to download the app.
Documents released by the Digital Transformation Agency have confirmed that COVIDSafe’s ability to communicate between two locked iPhones – about 40% of the Australian market – was rated as “poor” and this was known at the time it was launched. While Apple and Google are working on a solution, you’d have thought this is something to be sorted out before launching the product, surely?
The big question is, will COVIDSafe ever work? An Oxford University report suggests around 60% of the population needs to be co-opted for a tracing app to be effective. Take-up in Australia appears to have stalled at around 25%. The government itself has said we need a 40% take-up level.
The effectiveness of COVIDSafe is “extremely limited” and the contact tracing app is unlikely to help prevent the spread of the virus, according to a policy paper from the Auckland University of Technology, the University of Queensland, the University of Auckland and Massey University.
UNSW experts say there are deficiencies in the COVIDSafe Bill and explain why the “Google knows everything about you anyway” argument is insufficient.
The Brookings Institution has cautioned against a “rising enthusiasm for automated technology as a centrepiece of infection control” and says it has “serious doubts” about contact tracing through mobile phone apps.
For the record, I have no in-principle objection to a tracing app given the current circumstances. But a review of the history of the COVIDSafe app will in time reveal two fatal strategic errors. Firstly, a failure to consult with the right technology experts to ensure the app was fit-for-purpose from day one. Secondly, a failure to effectively communicate the value of the project.
More here:
https://www.themandarin.com.au/135285-opinion-covidfail-the-it-debacle-that-could-cost-lives/
So it seems that the app is both not working all that well and not helping all that much.
Seemed like a great idea as the time!
David.
2 comments:
"Seemed like a great idea as the time!"
that's been said many a time about the Department of Health's initiatives and decisions.
It also looks as though shine has worn off the app, as far as the the public are concerned.
Here's a bit of the history.
Version 1.0 was launched on 26 April.
The Apple version is currently 1.6.
According to the Apple store, there was an update on 5 May "Updated Design. Bug Fixes"
The Android version is currently 1.0.28
There is no information on the Android version
On 5 May it was reported that there had been 5 million downloads.
On 1 June the download number was reported as 6.13 Million.
on 10 June is was reported as 6.2 million.
AFAIK, there have been no other download number reported.
Between 1 and 10 June it looks though there were about 8,000-9,000 downloads per day. It is quite probable that the downloads in the whole of June will be revealed (if revealed at all) to be fewer than 8,000 per day.
The ABC report on 31 May
https://www.abc.net.au/news/2020-06-02/coronavirus-covid19-covidsafe-app-how-many-downloads-greg-hunt/12295130
indicates that the downloads had flattened by the middle of May. There is no reason to suggest that there has been a renewed interest in the thing.
The stark conclusions are that the downloads have stalled at about 6.2 million (that's total, probably including updates) and that very few people have the current version.
To add to David's comment "So it seems that the app is both not working all that well and not helping all that much." And the government has failed to persuade the people that it is worth taking seriously.
I wonder what the briefing to the new secretary of the Department of Health will say.
Post a Comment