TL;DR — After a review of the application permissions, sign up form, and as well a PCAP Dump of the entire process and a review of the architecture. I can sum up that there is no current cause for any major privacy concerns. This is a brief roll up nothing more to save time, do you want more technical goo? Read below. Fantastic.

PLEASE NOTE — THIS ARTICLE DOES NOT COVER ANY GOVERNMENT INFRASTRUCTURE BEHIND THE APPLICATION. ONLY THE APPLICATION ITSELF.

What is COVIDSAFE?

COVIDSAFE — APPLICATION LOGO — Department of Health

COVIDSAFE is the Australian Government Tracking application for COVID-19, the primary use of this application is to help Australia slow the growth of COVID-19. For people outside of Australia it should be known that this application is completely voluntary and the app can be uninstalled at any time. The only people who are allowed to access this application are currently state and territory officials IF someone tests positive AND also agrees to upload their information.

If you want to learn more about the application from the horses mouth, here’s health.gov.au running down several important bits and pieces. https://www.health.gov.au/resources/apps-and-tools/covidsafe-app

What does COVIDSAFE have access to?

Great question, and a great place on where to start for this. On my phone (One Plus 7) right now it currently has access to the following.

Location — Precise Location & Network-based Location

However, it does note that the Application does have the capability to do the following:

Have Full Network Access

Pairing With Bluetooth Devices

Access Bluetooth Settings

Run at Startup

Run Foreground Service

Ask to Ignore Battery Optimizations

View Network Connections

Most of them do line up with what the Australian government has said they would build in with the application, the only one that may cause concern for most people is “Have full Network Access”. However I’ll explain later to why this permission exists and why it shouldn’t be too worrying for users of the application.

What does COVIDSAFE do while I’m signing up?

So for those not aware, during the sign-up process of COVIDSAFE you are asked a few questions. These relate to the following;

Full Name

Age Group (NOT SPECIFIC AGE)

Postcode

Telephone Number

You can fill these in and just like that you’ll be on your way to being signed up for COVIDSAFE. Fantastic, but what does the guts of it look like behind the scenes? Well in all honesty it’s pretty boring… It seems as though that when you either receive or send, it goes mostly to an AWS CloudFront server and that seems to be the main gateway of sending data to and from the user. The below is an example of traffic I captured earlier today when the application was launched.