COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 2
June 16, 2020

Pieter Danhieux
Secure Code Warrior

One of the counter-attacks against COVID-19 has been through technology, with many countries rolling out contact tracing apps. It is always a bit of a worry when apps are built quickly, and these contact tracing apps are having to be rolled out in record time. It's a nightmare for developers, security people, and government agencies. So, is mistrust a valid reaction?

Start with COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 1

Some Apps Are Already Showing Signs of Simple Errors That Cause Complex Weaknesses

Australian software engineer Geoffrey Huntley has been studying the source code of COVIDSafe, and sadly, there are issues that are not necessarily being highlighted to us, the end-users.

One critical example was a privacy-breaching logic error that would allow an attacker to perform long-term tracking of devices; something that poses an enormous amount of risk for vulnerable users, not to mention it contravenes the Privacy Policy of the app itself.
It's important to note that these logic vulnerabilities have been patched as of May 14th, but the more pressing issue is that this was left unpatched, in the wild, for 17 days after Mr. Huntley reported it. He and other members of the awesome security community are tracking CVEs relating to the COVIDSafe app here.

One thing Huntley points out, post-patch, is that even the fix shows signs of, well, incompetence. In his public log, he notes the patch involved adding logic rather than simply deleting a flawed cache, with the latter being a far more robust remedy. Both work, but the live solution lacks finesse — a concern with such an important application.

Although we have diligent members of society using their own time and expertise to pore through source code and highlight issues, their job is made much harder than if the code was open source in the first place. As it stands, 28 apps are still closed off to security researchers.

Secure Coding Continues to Trip Us Up at the Finish Line

While I can certainly sympathize with overworked developers — as well as the highly unusual situation of having to churn out a life-saving app in the midst of a pandemic — the above should highlight that a few simple vulnerabilities in what is essentially a communal codebase could spell significant issues for millions of users.

I'd like to think most people want to be good citizens, support the app, and give everyone the best possible chance of contact tracing and controlling outbreaks of this horrific virus. I too am in support of technology that can help achieve this, but in many ways, this has unearthed the general lack of secure coding principles inherent in developers all over the world.

In any situation where software has to be written quickly, mistakes are not exactly unexpected. However, common security vulnerabilities like logic flaws, misconfigurations, and code injection errors should be something that can be prevented as code is written, not after volunteer white hats pick the codebase apart.

And it's not the developers' fault, by the way. They leave their tertiary education with little skills in secure coding, and in their careers, their KPIs almost always relate to feature functionality and speed of delivery — the security part is for someone else to deal with once they're done. We need to get to an end-state of secure coding at speed, and while now is not the time to make seismic culture shifts in the departments building these apps, it's a timely reminder that our digital risk area is expanding, and they are in pole position to make a difference if they're given the tools and knowledge to share the responsibility for security best practices.

Is It Safe to Download the App?

Here's the thing: for me, a security guy, I've come to the conclusion that the benefits of the app outweigh the issues. It's not ideal that the above vulnerabilities are — or have been — present in this software, but the implications of these being weaponized are worst-case scenarios. At the moment, contact tracing is a vital component of assisting our medical heroes all around the world in controlling the spread, stemming the flow of hospital admissions, and keeping each other as safe as possible.

It serves to highlight that we have a long way to go when it comes to enacting security best practices by default in a software build, and it's important the public does have the information needed to make informed decisions.

My family and I will continue to use it, though we remain vigilant with staying up-to-date with our Android patches, as we all should.

Pieter Danhieux is CEO and Co-Founder of Secure Code Warrior
Share this

Industry News

January 13, 2022

Infragistics announced the release of Infragistics Ultimate 21.2.

January 13, 2022

Jitterbit acquired PrimeApps, a Turkey-based innovator in low-code application development.

January 13, 2022

Mirantis announced the release of Mirantis Secure Registry (MSR) 3.0, which supports usage across any Kubernetes distribution.

January 12, 2022

DevOps Institute announced its lineup for 2022 events and webinars and plans for two new DevOps certifications.

January 12, 2022

Oxeye unveiled an open-source initiative with the introduction of Ox4Shell.

January 12, 2022

Quali Torque platform is now available to Microsoft Azure users on the Azure Marketplace.

January 11, 2022

CircleCI announced a free tier for CI/CD.

January 11, 2022

GlobalLogic, a Hitachi Group Company, announced availability of OpeNgine version 2.1.

January 11, 2022

The Application Security Division of NTT introduced the next phase of The WhiteHat Vantage Platform, Vantage Prevent, a patented solution that enables enterprises to conduct dynamic application security testing (DAST) at each phase of the development cycle and prevent exploitable vulnerabilities from reaching production.

January 10, 2022

BrowserStack announced the acquisition of Nightwatch.js, the open-source test automation framework.

January 06, 2022

BMC announced new capabilities and integrations across its BMC AMI (Automated Mainframe Intelligence) and BMC Compuware portfolios.

January 06, 2022

ShiftLeft announced that its Intelligent-SCA product added scanning and attackability analysis for JavaScript (JS) and the TypeScript (TS) language to the ShiftLeft CORE platform.

January 06, 2022

Progress announced the latest release of Progress Fiddler Everywhere, its popular web debugging proxy tool.

January 05, 2022

Solo.io announced a new open-source project, BumbleBee, that simplifies the developer experience for building, packaging, and distributing eBPF tools.

January 05, 2022

Forty8Fifty Labs and Old Street Solutions announced that they are partnering in the development and delivery of solutions that simplify the collaboration and use of Atlassian Jira and Confluence.