Taimoor Danish: Study of Privacy Preservice Mechanisms in the COVID-19 Contact Tracing Applications

[Music]

[Music] yeah all right that that's great okay before starting um uh the presentation uh you guys can hear me right uh just a bit about myself my name is temorali danish i'm a student at concordia's university of edmonton and i'm hoping to finish up my masters in information systems assurance by this december and this was part of my research uh part of my final research project which uh i had to finish uh to actually get my studies uh completed and uh we we started uh thinking about different things uh which uh we can research on and while you all of you on insecurity and risk or in any kind of business uh know that uh

koid is the thing that's that's kind of setting the trend of the future at least at the moment right so we said okay what code has actually affected us and uh the contact tracing was is one of the things that's before the vaccines came and was one of the things which was uh used to stop the spread of it right and we said okay let's see how that's working and uh how can actually we actually see that people can use that to full effect because um given that given the skepticism that was surrounding record by by general public even at this moment we are not able to get everyone at the same page people aren't sure about

thing um like even vaccines people aren't to believe people weren't believing uh contact tracing back then and uh are we uh that was kind of the purpose so we we wanted to see if the contact tracing apps were actually uh protecting the public uh personal privacy they weren't affecting the things uh a person would be concerned about using any sort of app so uh we we got our assumptions up about them uh we said okay uh people are gonna use the contact tracing application so um these apps are going to ask about some permissions for example location permission or bluetooth permission whatever there are there are a lot we're going to talk about that later

apps are going to ask about those permissions uh and some of them may be dangerous like location permission and whoever uses android or even ios uh knows that our location permission is categorized as a dangerous permission but that's something that that is needed that might be needed for a contact tracing app so okay first thing they might use dangerous permissions but they might also use some dangerous permissions which aren't really required like location is required but what if an app is asking for your camera permission how would you i mean if you're installing an app you want to help out you want to say okay i want i want to do the contact tracing with

the government and stuff i want to step stop the spread but why an app is asking for my camera what's the purpose of it so oh we wanted to see if there are some of those uh scenarios which where the these applications are asking for dangerous permissions which aren't really required uh the third thing was that uh apps are going to store some data and uh when when they're tracing uh one like locations latitude longitudes or other stuff they may be stored at locations which which can't be trusted by people especially given the circumstances of kobe so let's say there's an app in north america and uh it's the storage locations are in um in here in us in canada

but uh there will uh there will be some scenarios where these locations won't be in this these countries and that's that's actually not a problem but that could affect a a gen a person's trust uh who is not too much aware of why this data is stored outside maybe there's a cloud scenario or something like that so we wanted to see okay maybe there are some data stored at locations which may not be trusted uh by a general person but

my camera suddenly stopped can you i'm gonna ask you again can you actually hear me or no okay thanks it just stopped on me okay you also could see my presentation right i'm gonna show it again right there

so can you see the presentation now oh great great brilliant okay so you saw about while we were at the assumption so just to summarize them again uh just to summarize the okay you can't see the presentation or you can now okay great let's start sorry for that interruption okay just to summarize that again absolute use changes permissions which are required they may use some permissions which aren't required and we'll see where the data is stored uh to get our testing done we selected our data set from the applications which uh are being used at the moment in north america canada and united states um in canada basically there are only three apps there's one federal app and

british columbia and alberta have their own contact racing application or at least that was the case when this research was started um our operating system which we tested upon was android uh we had the option of ios but uh whoever has worked in testing or development would know that it's android gave us a little bit more freedom on testing it had more tools even though the tool we used i'm going to talk about that later had an option of ios but that was something that that was we we considered that okay this is going to give us more detail report if we select android as a starting point the third thing were uh well that's

simple 28 applications in our sample set you might see uh there might be some more added later on it's been few months uh since we started the research but uh basically three from canada and about 25 from different uh united states states uh were selected to get our results we designed our lab around testing using a tool called mob sf it's a brilliant tool if anyone of anybody of you is in moderate testing or in any sort of app testing uh and they don't have the source code of it uh just the apk or not even the apk you can actually search for the app within the mob sf f2 um they can actually test a lot in this uh it runs on docker

and as docker runs on any operating system from linux to mac to windows uh mobassef gave us two options of uh statically analyzing and dynamically analyzing our applications um both ways were brilliant a dynamic analyzer actually gave us way it can give us way more detailed report of each and every activity and where the permissions are um needed but for uh for our research static analyzer gave us cute enough reports um like it just took the apk we just um you can download the apks if you can or you can search uh inside the mobs of tools for the apks and uh it can give us the reports uh like which domains the app is trying to connect to what are

the locations of those domains uh which certificates the app uh is using uh and uh which permissions these apps and these apps are using which was more uh related to our research and it also gave us the idea of categorizing those permissions are as dangerous or normal permissions but that's something we could have seen from the google supplementation but it wasn't easy uh it was good that it actually gave that the the the changeless or normal category of the permissions inside the reports we got upon testing them we went to see how correct our assumptions were if you could remember i can repeat them again that apps may use dangerous permissions there might be some permissions which are

needed but well there could be some dangerous permissions used that are not actually needed and that the third was or the data is the data stored at a trusted location so upon testing our first assumption we found out there are 48 unique permissions used by these 25 apps and even though there were 34 normal permissions there were 14 dangerous permissions so uh by dangerous they don't mean they're they're not needed but but that's something our next assumption will test but our first uh assumption the first assumption of our hypothesis was correct that yes apps are gonna need the changes permissions this uh the second thing was okay well dangerous permissions are needed but there there might be some apps that are asking

for permissions unnecessary that could be due to um not uh well that could be due to lots of things maybe using uh methodologies which could be easily avoided and etc etc but uh well the results of that were uh yeah there were some permissions which were actually required i'm gonna talk about that in the next slide but uh let's talk first about the unnecessary dangerous permissions so a bit about the functionality first normally the the most common method we found out uh of using these category affirmations to use the contact tracing was the use of location permission which was which was uh understood location uh can be used for contact tracing but there were some permissions like write

external storage to card audio and camera which are not actually needed in the app's functionality or these permission could be easily avoided and used and or other other ways can be used for example let's talk about wide external storage uh if some app is actually trying to save some data um they could easily save them in shared preferences uh and given that most of the data is just the text based uh this permission wasn't necessarily needed about record audio and record audio and camera they could i mean you can easily avoid them in this sort of a scenario where people aren't that much trusting and there is a there is a a there is an

app which is trying to access your audio and camera people are not going to install that kind of an application the good thing about this result was these two were only used by one app that was punch alert app uh it had some other functionalities which it was using for the record audio and camera but they could have been the apps should have been isolated from one another they should have just released another app for the other things it was doing uh about the uh about the most used permissions access fine location was used about five times meaning they were this permission was actually used by five different apps out of 28 applications only five of them used

it this permission and it's understood why it was uh asking for this access file location permission because it's the easiest way to contact trace about uh out of our our 28 data set applications only six apps were actually requiring dangerous permissions which was a good thing uh it it it doesn't mean that if an app doesn't ask for ask for a dangerous permission it's not affecting your privacy in a way but it's better if it doesn't ask it because there is uh if if app has if app has an access to your things like your location your camera anything that is categorized as a dangerous permission uh it's easier to uh have an eff have an effect on users

privacy uh punch alert was the app which used most dangerous permissions it has it had about nine permissions uh which was which were dangerous it used about more than 30 total permissions but nine out of them were dangerous digging deep into into this app as i mentioned before this was more like a community app which had a contact racing functionality as a as what you say as an add-on but uh again um there were better ways of handling uh this uh the people who already have this app aren't gonna have a problem but somebody who's installing it the for the first time specifically when the state has said this is our official contact tracing app

uh when they're going to see that this app is asking for camera for a ride external storage for get accounts for billing they're not gonna install it uh as easily as uh let's say some other app which is not asking for these much permissions about a third assumption uh which was the uh the storage locations of the apps um it was a good thing to see that most of these uh servers were in north america uh there were few in europe um like canada sorry like germany or netherlands uh i'm gonna talk about them why they were there and there was one in colombia uh one server and that was all there was also a reason for that but let's i'm

gonna talk about these two in right now so about uh the servers in uh uh which were the jump you can see the domains the apps were connecting that were outside in north america one was mikepans.com digging a little deep into that this is basically a developer on github um with the what different libraries like um like dialect boxes which is our material design some things which are basic in android development and uh makes the developer's job easier so there was nothing related to data storage in here exposure notification notification.help this is a this is basically uh you must have got known that same kind of server used by ios and uh android uh for this this was used by pretty much

every application uh most of them at least and uh each app had it had had different location for this and when we kind of dig a little deeper into it we found out that that it was hosted on google cloud and whoever knows a little bit of cloud knows that uh well it's more distributed thing and there and the locations can be from from all over the world and that was one of the uh domains which was uh which had its servers in colombia but that was hosted by google cloud so if you want to if somebody was has a problem with uh installing an app which has a server outside north america well it's

hosted by google and it's a trustworthy server so there wasn't a problem with that uh out of all the apps with the best app we considered was the kobit alert that's canada canada's federal app and when we say best app it's not just we're not talking uh in context of functionality it's just it's uh basically the privacy practices that app is using um it only used 60 total permissions over normal uh it used depleted to share codes um that could be seen in more detail if there could be an effect on privacy there but as far as the permissions it was asking about uh there wasn't a big concern there uh the least like of our application was

the punch alert that's the third time i'm talking about if it was a standalone uh contact racing application it would have been fine as an app there wasn't too much problems with it there aren't too much problems with it but when it was um when because it was a normal app a community app where people can share problems like there's a fire here and there any emergencies um and contact racing was uh released as an add-on on it that could have been easily released as another app as for if you talk about just the type of types of permissions this app was asking about so so to conclude uh my talk here uh uh as for uh

or as far as our testing was concerned uh considering the permissions the apps were you asking about and our static analysis uh privacy wasn't affected except in view and in few i again i would say the punch alerts app and even there if we really dig deep into it and see okay this app has some other fun functionalities privacy wasn't a concern as far as the permissions were concerned uh out of all the permissions there were only three which all gave me which made sense that was access fine course and background location uh so other 11 apps 11 sorry permissions uh could have been easily avoided and something else could have been used in their uh

in their place to get the apps a little more uh privacy uh focused and the locations of the data storage were i mean there wasn't uh there wasn't even one server we found out we which was in where the ips or the locations or maybe the server was not uh did that testing gave us a problem wasn't uh trustworthy server so uh even our third assumption was uh well art the the third assumption was actually there the data stories maybe uh the location may be untrustworthy but they were not so that was a good thing so that's the end of my talk i would love some questions from you and i'm just gonna leave this slide right here

in my conclusion slide so you can actually ask something about it thank you very much for your time and yeah i'll be taking questions now

thank you sarah thank you mister thank you cantons thank you mr smith thank you miss sarah um yeah uh i would again i would love if you guys would ask something here uh something i might might haven't cleared here it would be great if you can give some insights or on some things you would like to see uh maybe i need to we need to see a little more of those maybe research on them a little more see them you know maybe in a video perspective

uh yes that was uh that was a part of our our data set yes the alberta's go with tracing app was one of the apps we actually uh tested and uh it's actually uh we used only one permission which was uh categorized as a dangerous one all can actually tell you right now i have the table here so yeah alberta's kobe tracing app was evaluated and it had uh it only asked for a location app uh permission i would say but which was which could be categorized as a dangerous permission thank you very much for all again all for for your time and bye goodbye