Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
Northumbria University, Newcastle upon Tyne, UK.
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). (PriSec)
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). (PriSec)ORCID iD: 0000-0002-5235-5335
Karlstad University, Faculty of Health, Science and Technology (starting 2013), Department of Mathematics and Computer Science (from 2013). (PriSec)ORCID iD: 0000-0002-0418-4121
2021 (English)In: Empirical Software Engineering, ISSN 1382-3256, E-ISSN 1573-7616, Vol. 26, no 3, article id 36Article in journal (Refereed) Published
Abstract [en]

As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents.

Place, publisher, year, edition, pages
Springer Nature, 2021. Vol. 26, no 3, article id 36
Keywords [en]
contact tracing apps, covid19, privacy, security, software quality, android, permissions, personal data, maturity, information privacy, privacy risk
National Category
Computer and Information Sciences Software Engineering
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kau:diva-83509DOI: 10.1007/s10664-020-09934-4ISI: 000631083100001Scopus ID: 2-s2.0-85103351291OAI: oai:DiVA.org:kau-83509DiVA, id: diva2:1538894
Projects
Digital Well ResearchAlertAvailable from: 2021-03-22 Created: 2021-03-22 Last updated: 2022-09-15Bibliographically approved
In thesis
1. Privacy and Security Analysis: Assessing Risks and Harm to Patients
Open this publication in new window or tab >>Privacy and Security Analysis: Assessing Risks and Harm to Patients
2022 (English)Licentiate thesis, comprehensive summary (Other academic)
Alternative title[sv]
Analys av Personlig Integritet och Informationssäkerhet : Bedöma Risker och Skador på Patienter
Abstract [en]

Disruptive technologies in the form of e-Health or electronic healthcare (the use of information technology in health) have the ability to provide positive implications to both patients and healthcare professionals. Recently, public health agencies deployed contact tracing apps with the aim of curbing the spread of COVID-19, by aiding manual contact tracing, and lifting restrictions. Despite this, their ubiquitous nature in the sector has opened doors to new threats in the area of information security and privacy, where these apps, for instance, contain security and privacy risks such as violation of the principle of least privilege, which when exploited can cause privacy harms to the user, for example, re-identification of users.

In general, information security and privacy in the healthcare sector is essential due to the nature of the data they process, and the need to keep the patient safe. While this is so, the general security posture of the sector, which is poor due to its under-financing in IT security among other reasons such as the use of legacy systems, makes it vulnerable to cyber-attacks that end up with exfiltration of personal health data, among other data, for instance, relevant research data. Such data can be misused incurring privacy harm to patients that have been affected by the breach.

This thesis follows an experimental approach to assess the privacy and security risks of m-Health apps, with the selected case study of these m-Health apps, that is, COVID-19 contact tracing apps. In addition, it also contributes with a theoretical approach to assessing impacts and consequences in the healthcare sector, including what harms patients could face in the event of a state-sponsored cyber-attack. In addition, the research aims at contributing to the field by proposing a sector-specific model that can be used to evaluate the impact on the privacy of patients affected by a data breach.

Abstract [sv]

Störande teknologier i form av e-hälsa eller elektronisk sjukvård (användning av informationsteknologi inom hälsa) har förmågan att ge positiva implikationer för både patienter och vårdpersonal. Folkhälsomyndigheter har nyligen implementerat så kallade kontaktspårningsappar i syfte att hindra spridningen av COVID-19, genom att bidra till manuell kontaktspårning och införande av restriktioner. Trots detta har deras allmänt förekommande natur i sektorn öppnat dörrar för nya hot i områdena informationssäkerhet och personlig integritet, Där dessa appar, till exempel, innehåller säkerhets- och integritetshot såsom brott mot lägsta prioritetsprincipen (eng. principle of least privilege), som, när exploaterad, kan orsaka personlig integritets-skador för användaren, exempelvis återidentifiering av användare.

Generellt kan sägas att informationssäkerhet och skydd av personlig integritet inom hälso- och sjukvården är absolut nödvändigt med tanke på egenskaperna hos de personuppgifter som behandlas, och behovet av att skydda patienten. Trots detta gäller att sektorns generella hållning , som är svag på grund av dess underfinansiering av IT-säkerhet bland andra skäl på grund av användning av gamla system, gör dem sårbara för IT-angrepp som slutar med exfiltrering av persondata, bland annat forskningsdata. Sådana data kan missbrukas och därmed orsaka skada för de patienters som drabbats.

Avhandlingen argumenterar för att hälso- och sjukvårdssektorns låga kvalitet på informationssäkerhet kan leda till att säkerheten och integriteten hos hälsodata, särskilt personlig hälsodata, kan exploateras för att orsaka integritetsskador inte bara från opportunister eller hacktivister, utan också från angripare som sponsras av stater, som exempelvis Fancy Bear i fallet World Anti-Doping Agency år 2016. Det följer ett experimentellt tillvägagångssätt för att säkerställa påverkan och konsekvenser i vårdsektorn, inklusive vilka skador patienter skulle kunna möta om ett angrepp sponsrad av ett annat land skulle ägan rum. I grunden visar forskningen på de kritiska och signifikanta egenskaperna i sektorn och den påverkan en IT-angrepp skulle ha på individer och på sektorn själv. Dessutom strävar forskningen efter att bidra till området genom att föreslå en sektorspecifik modell som kan användas för att evaluera påverkan på de patienters personliga integritet som drabbats av ett dataläckage.

Place, publisher, year, edition, pages
Karlstads universitet, 2022. p. 25
Series
Karlstad University Studies, ISSN 1403-8099 ; 2022:19
Keywords
Privacy, Security, e-Health, Risks, Harms, Personlig integritet, Informationss ̈akerhet, e-h ̈alsa, Risker, Skador
National Category
Computer and Information Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:kau:diva-89688 (URN)978-91-7867-292-9 (ISBN)978-91-7867-303-2 (ISBN)
Presentation
2022-06-10, 21A342, 10:15 (English)
Opponent
Supervisors
Available from: 2022-05-20 Created: 2022-05-03 Last updated: 2022-10-04Bibliographically approved

Open Access in DiVA

fulltext(4247 kB)164 downloads
File information
File name FULLTEXT01.pdfFile size 4247 kBChecksum SHA-512
065bd71ec7fce85f99e2a81c428a3187a0af9ee812e970f40c23c926ee95e9f7d289cdfe6d3e00e53061c091e663132957cdef6737c09578b3c908258c316934
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Momen, NurulFritsch, Lothar

Search in DiVA

By author/editor
Momen, NurulFritsch, Lothar
By organisation
Department of Mathematics and Computer Science (from 2013)
In the same journal
Empirical Software Engineering
Computer and Information SciencesSoftware Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 164 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 304 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • apa.csl
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf