Update as of May 7, 2020: Some of the content in this article is outdated. The ‘reference implementation’ of the BlueTrace protocol called OpenTrace has been open-source. The advocacy aspects originally written in this article has been changed. The centralized model of TraceTogether’s design, coupled with the use of phone numbers and reversible encryption to generate IDs, enable any party who gains access to build the ‘social graph’ of COVID-19 positive users. Open-sourcing the actual code of the app will not mitigate this risk. Users of TraceTogether have to trust the Singapore government to securely handle their data collected via the app for the strict purpose of contact tracing. Given the human rights records and the history of data leaks in Singapore, as well as loopholes in terms of regulations that prescribe how personal data should be treated by the Singaporean government, the collected data can be vulnerable for mistreatment or exploitation.



As the novel coronavirus or the COVID-19 pandemic spread across the world, governments around the world turned to technology for solutions. Singapore, known for its emphasis on technocratic governance, is no exception. Facing a wave of COVID-19 infections, the country decided to roll out a mobile phone app called TraceTogether on March 20, 2020 to help with contact tracing. The app seeks to collect information about people with whom a person has been in close physical proximity over the past fourteen days should that person test positive for COVID-19.

The app is built by the Government Technology Agency (GovTech) in collaboration with the Ministry of Health (MOH). It works through the automated exchange of short-distance Bluetooth signals between mobile phones with the app installed. The app detects and records other devices with the app that are within a radius of 2-5 meters for 30 minutes.

Given the Singapore government’s human rights record, there are naturally concerns about privacy and surveillance. Concurrent with the release of the app, the Singapore state released statements which are Privacy Safeguards and a clarification of 9 myths surrounding the app. These myths are as follows;

The government is using the TraceTogether app to track or spy on every citizen’s whereabouts. With the TraceTogether app running on a Bluetooth enabled mobile phone, anyone, including Singapore government agencies, can hack into the phone installed with TraceTogether and extract all information in the phone. If a person downloads TraceTogether and gives consent to all in-app functions, that means that she or he essentially allows the MOH and the government to collect and gain access to all personal data, as well as data in the phone. If MOH contact-traces a user and asks to upload the data stored by the TraceTogether app, the Ministry can also extract any other data that they want from that phone as well. The download of TraceTogether can increase the risk of a data breach on the phone. All information in the TraceTogether app is uploaded onto a server that faces a perpetual threat of being hacked. Other TraceTogether users can see the phone number of the user who uses the app. Even after TraceTogether is uninstalled, the mobile number and the randomized User ID will remain on the server forever. Running the TraceTogether app in the background uses up a lot of data and phone battery.

All the clarifications provided by the government to these myths provide assurances that the app is fine to use. Records of encounters are supposedly stored locally in the user’s phone and would not be sent to the authorities. The authorities also claim that the phone stores data collected by the app the data for 21 days only and that users would only be asked to share these records when contacted by MOH as part of investigations regarding contact tracing. Those who refuse can be charged under the Infectious Diseases Act. The user’s number is paired with a random ID, and it is this ID that is exchanged between phones, not the actual number.. Finally, it is stated that the app only exchanges temporary IDs between devices. These IDs are changed every hour and only MOH can identify the phone numbers they were derived from.

We asked independent technical experts to examine the app and look at publicly information currently available. Here are our findings, which may interest those who seek greater security and wish to protect their right to privacy.

Thorough examination and analysis of the app using conventional reverse engineering is highly challenging. For reasons unspecified, much of the code implementing core functionality, including its contact exchanging system, were obfuscated, making code analysis difficult.

Consequently, our findings cannot independently confirm the veracity of the Singapore government’s claims.

Obfuscation often conceals unspecified functions like backdoor access and tracking, security weaknesses, or trade secrets. The last reason is typical for developers of proprietary apps who fear plagiarism from competitors. Even though GovTech has announced that the app will be open source, they have yet to provide a timeline for the release of the app’s source code. It remains unclear if the complete source code of TraceTogether will be published (to the extent that third parties can build an exact replica for verification purposes), or if the source code release would be limited to its BlueTrace component.

As the promised source code was not yet available, technical experts were forced to reverse engineer TraceTogether in order to independently verify GovTech’s claims. This was done through a combination of static and runtime analysis. In a static analysis, the application is first put through a disassembler or decompiler and translated into a more human-readable form. The recovered code is then reviewed to determine its behavior. In a runtime analysis, the application is run and its processes are monitored in a special environment. Static analysis infers behavior from how a program had been written, while runtime analysis infers behavior from what the program does as it runs.

According to one source employing runtime analysis, when TraceTogether runs, the phone scans its vicinity for about 8 seconds every 40 seconds to look for nearby devices running TraceTogether. When the devices are found, it queries each of them. Each device sends back encrypted information, which the app decrypts and saves into a database stored in the phone. Each record consists of the following;

A timestamp

Temporary ID of the sender

The sender’s phone model

The signal strength of the connection to estimate the distance

Miscellaneous information including protocol version, organization (set to SG_MOH) and ‘expected transmission power at 1m’ for distance estimation

The app also records the start and end time of the scan into another table within the database.

Despite the Singapore government’s claims of minimal data collection, static analysis efforts revealed that the app has three separate analytic systems built in. They are Firebase Analytics, Crashalytics, and Snowplow Analytics. The app’s heavy obfuscation left its examiners with only guesses at their broad purpose of ‘user engagement’ and crash reporting. To get around the hurdle, one user inspected the traffic and discovered that the app transmitted data to an address operated under the Whole-of-Government Application Analytics (WOGAA), the Singapore government’s centralized analytics platform for its digital services. After the issue was reported, GovTech promised its removal in the next update.

Storage of data on state databases in Singapore may allow state agencies other than the Ministry of Health the technical ability to access key personal information, potentially without a user’s prior, informed consent. As the app cannot be examined easily, it raises concerns about safety and security of activists and government critics if the app has turned out to be a surveillance app given the human rights record in Singapore.

TraceTogether’s contract tracing is built on GovTech’s homegrown BlueTrace protocol and works over Bluetooth Low Energy (BLE). The Government Digital Services team at the GovTech is behind its design. TraceTogether works best when its users leave Bluetooth on all the time but this raises serious security concerns in light of two major vulnerability disclosures: BlueBorne in late 2017 and SweynTooth in February 2020.

Both disclosures revealed that the Bluetooth stack on many mobile and IoT devices had a plethora of flaws that could be exploited and compromised remotely over the airwaves, so long as the devices were within range. This translates to a rough radius of up to 10 meters for mobile devices and line of sight is not required. In the most severe case, an attacker was able to gain access in a short time and run arbitrary code on the victim device from distance with no apparent contact.

While software updates have been released to close the holes, not all affected devices will have received updates. This could be because users have not chosen to install them, or because the devices were no longer supported (if at all) by their manufacturers. More ominously, the authors of BlueBorne and SweynTooth believe there are more vulnerabilities awaiting discovery and exploitation due to the complexity of the Bluetooth stack.

Users with mobile phones from reputable manufacturers that are less than two years old generally face less risk as their phones tend to receive recent and timely software updates that fix the vulnerabilities. However, not all individuals can afford or possess newer devices.

Our bottom line is that we are unable to confirm whether the app sufficiently accounts for privacy and security concerns when operating in current, real world situations. Despite the positive endorsement from the Singapore government, the app continues to raise concerns over obfuscation. Efficient contact tracing is undoubtedly necessary to face the dangers of COVID-19. However, the means of doing so need to be transparent, while safety and privacy need to be independently verifiable. Such steps are necessary not only to build and sustain public trust, but also to ensure adequate protection of human rights.

Recommendations

GovTech must lift obfuscation of the software code to enable independent technical experts to examine the app’s function and verify the government’s claims. If the app is going to be open-source, the complete source code of the app should be released, not just the protocol specification and reference implementation of BlueTrace. Serious efforts should be taken to reduce the risks of having Bluetooth being perpetually turned on 24/7 to support the app’s function, particularly for people whose phones that do not receive security updates.

Disclaimer: Due to the nature of a regularly updated app, these findings only apply to the TraceTogether app at the time of analysis. The experts we consulted used version 1.0.41 of the app for Android for the analysis. Due to limited resources, we were unable to examine the iOS version.



This article has been updated on April 8, 2020 and examined the 1.0.41 version of the app after the 1.0.38 version was originally examined.



This article is published under Creative Commons license CC-BY-NC-ND 4.0.

The cover photo is by Benjamin Sow.