We report on an independent assessment of the Android implementation of the Google/Apple Exposure Notification (GAEN) system. While many health authorities have committed to making the code for their contact tracing apps open source, these apps depend upon the GAEN API for their operation and this is not open source. Public documentation of the GAEN API is also limited. We find that the GAEN API uses a filtered Bluetooth LE signal strength measurement that can be potentially misleading with regard to the proximity between two handsets. We also find that the exposure duration values reported by the API are coarse grained and can somewhat overestimate the time that two handsets are in proximity. Updates to the GAEN API that can affect contact tracing performance, and so public health, are silently installed on user handsets. While facilitating rapid rollout of changes, the lack of transparency around this raises obvious concerns.
Google/Apple Exposure Notification Due Diligence
Douglas Leith and Stephen Farrell (Trinity College Dublin)
View More Papers
Demo #4: Attacking Tesla Model X’s Autopilot Using Compromised...
Ben Nassi (Ben-Gurion University of the Negev), Yisroel Mirsky (Ben-Gurion University of the Negev, Georgia Tech), Dudi Nassi, Raz Ben...
Read MoreTASE: Reducing Latency of Symbolic Execution with Transactional Memory
Adam Humphries (University of North Carolina), Kartik Cating-Subramanian (University of Colorado), Michael K. Reiter (Duke University)
Read MoreHunting the Haunter — Efficient Relational Symbolic Execution for...
Lesly-Ann Daniel (CEA, List, France), Sébastien Bardin (CEA, List, France), Tamara Rezk (Inria, France)
Read MoreThe Abuser Inside Apps: Finding the Culprit Committing Mobile...
Joongyum Kim (KAIST), Jung-hwan Park (KAIST), Sooel Son (KAIST)
Read More