Douglas Leith and Stephen Farrell (Trinity College Dublin)

We report on an independent assessment of the Android implementation of the Google/Apple Exposure Notification (GAEN) system. While many health authorities have committed to making the code for their contact tracing apps open source, these apps depend upon the GAEN API for their operation and this is not open source. Public documentation of the GAEN API is also limited. We find that the GAEN API uses a filtered Bluetooth LE signal strength measurement that can be potentially misleading with regard to the proximity between two handsets. We also find that the exposure duration values reported by the API are coarse grained and can somewhat overestimate the time that two handsets are in proximity. Updates to the GAEN API that can affect contact tracing performance, and so public health, are silently installed on user handsets. While facilitating rapid rollout of changes, the lack of transparency around this raises obvious concerns.

View More Papers

Hashomer – Privacy-Preserving Bluetooth Based Contact Tracing Scheme for...

Benny Pinkas (Bar-Ilan University); Eyal Ronen (Tel Aviv University)

Read More

Demo #5: Securing Heavy Vehicle Diagnostics

Jeremy Daily, David Nnaji, and Ben Ettlinger (Colorado State University)

Read More

Location Data and COVID-19 Contact Tracing: How Data Privacy...

Callie Monroe, Faiza Tazi, Sanchari Das (university of Denver)

Read More

SymQEMU: Compilation-based symbolic execution for binaries

Sebastian Poeplau (EURECOM and Code Intelligence), Aurélien Francillon (EURECOM)

Read More