COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 2
June 16, 2020

Pieter Danhieux
Secure Code Warrior

One of the counter-attacks against COVID-19 has been through technology, with many countries rolling out contact tracing apps. It is always a bit of a worry when apps are built quickly, and these contact tracing apps are having to be rolled out in record time. It's a nightmare for developers, security people, and government agencies. So, is mistrust a valid reaction?

Start with COVID-19 Contact Tracing: What's the Secure Coding Situation? - Part 1

Some Apps Are Already Showing Signs of Simple Errors That Cause Complex Weaknesses

Australian software engineer Geoffrey Huntley has been studying the source code of COVIDSafe, and sadly, there are issues that are not necessarily being highlighted to us, the end-users.

One critical example was a privacy-breaching logic error that would allow an attacker to perform long-term tracking of devices; something that poses an enormous amount of risk for vulnerable users, not to mention it contravenes the Privacy Policy of the app itself.
It's important to note that these logic vulnerabilities have been patched as of May 14th, but the more pressing issue is that this was left unpatched, in the wild, for 17 days after Mr. Huntley reported it. He and other members of the awesome security community are tracking CVEs relating to the COVIDSafe app here.

One thing Huntley points out, post-patch, is that even the fix shows signs of, well, incompetence. In his public log, he notes the patch involved adding logic rather than simply deleting a flawed cache, with the latter being a far more robust remedy. Both work, but the live solution lacks finesse — a concern with such an important application.

Although we have diligent members of society using their own time and expertise to pore through source code and highlight issues, their job is made much harder than if the code was open source in the first place. As it stands, 28 apps are still closed off to security researchers.

Secure Coding Continues to Trip Us Up at the Finish Line

While I can certainly sympathize with overworked developers — as well as the highly unusual situation of having to churn out a life-saving app in the midst of a pandemic — the above should highlight that a few simple vulnerabilities in what is essentially a communal codebase could spell significant issues for millions of users.

I'd like to think most people want to be good citizens, support the app, and give everyone the best possible chance of contact tracing and controlling outbreaks of this horrific virus. I too am in support of technology that can help achieve this, but in many ways, this has unearthed the general lack of secure coding principles inherent in developers all over the world.

In any situation where software has to be written quickly, mistakes are not exactly unexpected. However, common security vulnerabilities like logic flaws, misconfigurations, and code injection errors should be something that can be prevented as code is written, not after volunteer white hats pick the codebase apart.

And it's not the developers' fault, by the way. They leave their tertiary education with little skills in secure coding, and in their careers, their KPIs almost always relate to feature functionality and speed of delivery — the security part is for someone else to deal with once they're done. We need to get to an end-state of secure coding at speed, and while now is not the time to make seismic culture shifts in the departments building these apps, it's a timely reminder that our digital risk area is expanding, and they are in pole position to make a difference if they're given the tools and knowledge to share the responsibility for security best practices.

Is It Safe to Download the App?

Here's the thing: for me, a security guy, I've come to the conclusion that the benefits of the app outweigh the issues. It's not ideal that the above vulnerabilities are — or have been — present in this software, but the implications of these being weaponized are worst-case scenarios. At the moment, contact tracing is a vital component of assisting our medical heroes all around the world in controlling the spread, stemming the flow of hospital admissions, and keeping each other as safe as possible.

It serves to highlight that we have a long way to go when it comes to enacting security best practices by default in a software build, and it's important the public does have the information needed to make informed decisions.

My family and I will continue to use it, though we remain vigilant with staying up-to-date with our Android patches, as we all should.

Pieter Danhieux is CEO and Co-Founder of Secure Code Warrior
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.