How hackers can use message mirroring apps to see all your SMS texts — and bypass 2FA security


Shutterstock

Syed Wajid Ali Shah, Deakin University; Jongkil Jay Jeong, Deakin University, and Robin Doss, Deakin UniversityIt’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.




Read more:
A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?


So what’s the problem with SMS?

Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.

For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.

So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).

In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone.
Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.

The attack on Android

Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.

Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as username@gmail.com) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.

This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.

For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.

Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.

What’s the alternative?

To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will let you do this. And make sure you’re using a well-crafted password.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

Hand holds up a YubiKey USB with the text 'Citrix' in the background.
The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA.
Shutterstock

These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.

Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.

It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.

At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.




Read more:
Can I still be hacked with 2FA enabled?


The Conversation


Syed Wajid Ali Shah, Research Fellow, Centre for Cyber Security Research and Innovation, Deakin University; Jongkil Jay Jeong, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University, and Robin Doss, Research Director, Centre for Cyber Security Research and Innovation, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The world might run out of a crucial ingredient of touch screens. But don’t worry, we’ve invented an alternative


Timothy Muza/Unsplash, CC BY-SA

Behnam Akhavan, University of SydneyHave you ever imagined your smart phone or tablet without a touch screen? This could soon be the case if we run out of indium, one of the rarest minerals on Earth.

Indium is used in many high-tech devices such as touch screens, smart phones, solar panels and smart windows, in the form of indium tin oxide. This compound is optically transparent and electrically conductive — the two crucial features required for touch screens to work.

But there’s a problem: we have no guaranteed long-term supply of indium. It is naturally found only in tiny traces, and is therefore impractical to mine directly. Almost all of the world’s indium comes as a byproduct of zinc mining.

Fortunately, we have a potential solution: my colleagues and I have developed a new way to make optically transparent and electrically conductive coatings without indium.

A worsening problem

Because the world’s indium supply is tied to zinc mining, its availability and price will depend on the demand for zinc.

Possible declines in zinc demand — already evident in the car manufacturing industry — along with the ever-increasing usage of smart phones and touch panels — are set to exacerbate the potential shortage of indium in the future.

One option is to try and recycle indium. But recovering it from used devices is expensive because of the tiny amounts involved.




Read more:
Touch screens: why a new transparent conducting material is sorely needed


When a crucial material is in short supply, we should look for alternatives. And that’s exactly what my colleagues and I have found.

How does it work?

Our new coating, details of which are published in the journal Solar Energy Materials and Solar Cells, involves plasma technology.

Plasma is like a soup of charged particles in which electrons have been ripped away from their atoms, and is often described as the fourth state of matter, after solid, liquid and gas. It might sound like an exotic substance, but in fact it comprises more than 99% of the visible objects in the universe. Our Sun, like most stars, is essentially a giant ball of glowing plasma.

Closer to home, fluorescent lightbulbs and neon signs also contain plasma. Our new touchscreen films don’t contain plasma, but their manufacture uses plasma as a way to create new materials that would otherwise be impossible to make.

Plasma apparatus
The new material is created using a process called plasma sputtering.
Behnam Akhavan

Our coating is made of an ultra-thin layer of silver, sandwiched between two layers of tungsten oxide. This structure is less than 100 nanometres thick — roughly one-thousandth of the width of a human hair.

These ultra-thin sandwich layers are created and coated onto glass using a process called “plasma sputtering”. This involves subjecting a mixture of argon and oxygen gases to a strong electric field, until this mixture transforms into the plasma state. The plasma is used to bombard a tungsten solid target, detaching atoms from it and depositing them as a super-thin layer onto the glass surface.

We then repeat this process using silver, and then a final third time tungsten oxide embedded with silver nanoparticles. The entire process takes only a few minutes, produces minimal waste, is cheaper than using indium, and can be used for any glass surface such as a phone screen or window.

Diagram of the structure
The finished result is a sandwich of tungsten oxide and silver, coated onto glass.
Behnam Akhavan, Author provided

The finished plasma coating also has another intriguing feature: it is electrochromic, meaning it can become more or less opaque, or change colour, if an electrical voltage is applied.

This means it could be used to create super-thin “printable displays” that can become dimmer or brighter, or change colour as desired. They would be flexible and use little power, meaning they could be used for a range of purposes including smart labels or smart windows.

Different optical performances of the same material
The material’s opacity can be changed by varying the voltage.
Behnam Akhavan, Author provided

Smart windows coated with our new films could be used to block the flow of light and thus heat as required. Our plasma film can be applied to any glass surface, which can then be set to adjust its transparency depending on the weather outside. Unlike existing “photochromic” spectacle lenses, which respond to ambient light levels, our material responds to electrical signals, meaning it can be manipulated at will.

Our new indium-free technology holds great potential to manufacture the next-generation touch-screen devices such as smart phones or electronic papers, as well as smart windows and solar cells for environmental sustainability. This technology is ready to be scaled up for creating coatings on commercial glass, and we are now doing further research and development to adapt them for future wearable electronic devices.




Read more:
From cobalt to tungsten: how electric cars and smartphones are sparking a new kind of gold rush


The Conversation


Behnam Akhavan, Senior Lecturer, ARC DECRA Fellow, School of Biomedical Engineering and School of Physics, Sydney Nano Institute, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Phone wet and won’t turn on? Here’s how to deal with water damage (hint: soaking it in rice won’t work)


Shutterstock

Ritesh Chugh, CQUniversity AustraliaIf you’ve ever gotten your phone wet in the rain, dropped it in water or spilt liquid over it, you’re not alone. One study suggests 25% of smartphone users have damaged their smartphone with water or some other kind of liquid.

Liquid penetrating a smartphone can affect the device in several ways. It could lead to:

  • blurry photos, if moisture gets trapped in the camera lens
  • muffled audio, or no audio
  • liquid droplets under the screen
  • an inability to charge
  • the rusting of internal parts, or
  • a total end to all functionality.

While new phones are advertised as “water resistant”, this doesn’t mean they are waterproof, or totally immune to water. Water resistance just implies the device can handle some exposure to water before substantial damage occurs.

Samsung Australia has long-defended itself against claims it misrepresents the water resistance of its smartphones.

In 2019, the Australian Competition and Consumer Commission (ACCC) took Samsung to Federal Court, alleging false and misleading advertisements had led customers to believe their Galaxy phones would be suitable for:

use in, or exposure to, all types of water (including, for example, oceans and swimming pools).

Samsung Australia subsequently denied warranty claims from customers for damage caused to phones by use in, or exposure to, liquid.

Similarly, last year Apple was fined €10 million (about A$15.5 million) by Italy’s antitrust authority for misleading claims about the water resistance of its phones, and for not covering liquid damage under warranty, despite these claims.

How resistant is your phone?

The water resistance of phones is rated by an “Ingress Protection” code, commonly called an IP rating. Simply, an electrical device’s IP rating refers to its effectiveness against intrusions from solids and liquids.

The rating includes two numbers. The first demonstrates protection against solids such as dust, while the second indicates resistance to liquids, specifically water.

Here are the various Ingress Protection ratings. The numbering changes based on the level of protection.
Element Materials Technology

A phone that has a rating of IP68 has a solid object protection of 6 (full protection from dust, dirt and sand) and a liquid protection of 8 (protected from immersion in water to a depth of more than one metre).

Although, for the latter, manufacturers are responsible for defining the exact depth and time.

The popular iPhone 12 and Samsung Galaxy S21 phones both have a rating of IP68. However, regarding exposure to water, the iPhone 12 has a permissible immersion depth of a maximum of 6m for 30 minutes, whereas the Galaxy 21’s immersion limit is up to 1.5m, also for 30 minutes.

While IP ratings indicate the water-repellent nature of phones, taking most phones for a swim will land you in deep trouble. The salt content in oceans and swimming pools can corrode your device and cost you a hefty replacement.

Moreover, phone manufacturers carry out their IP testing in fresh water and Apple recommends devices not be submerged in liquids of any kind.

Luckily, water resistant phones are generally able to survive smaller liquid volumes, such as from a glass tipping over.




Read more:
Screwed over: how Apple and others are making it impossible to get a cheap and easy phone repair


Checking for liquid damage

Exposure to water is something manufacturers have in mind when designing phones. Most Apple and Samsung phones come with a liquid contact/damage indicator strip located inside the SIM card tray.

This is used to check for liquid damage that may be causing a device to malfunction. An indicator strip that comes in contact with liquid loses its usual colour and becomes discoloured and smudgy.

Samsung and Apple phones have Liquid Contact/Damage Indicators.
Samsung/Apple

A discoloured strip usually renders your phone ineligible for a standard manufacturer warranty.

If you have any of the more recent smartphones from Apple or Samsung, then your device will be able to detect liquid or moisture in its charging port and will warn you with an alert. This notification only goes away once the port is dry.

New generation Samsung and Apple phones have a moisture/liquid alert notification.
Samsung/Apple

But what should you do if this dreadful pop-up presents itself?

Fixing a water-logged phone

Firstly, do not put your phone in a container of rice. It’s a myth that rice helps in drying out your phone. Instead, follow these steps:

  1. Turn off the device immediately and don’t press any buttons.
  2. If your phone is water resistant and you’ve spilt or submerged it in a liquid other than water, both Apple and Samsung recommend rinsing it off by submerging it in still tap water (but not under a running tap, which could cause damage).
  3. Wipe the phone dry with paper towels or a soft cloth.
  4. Gently shake the device to remove water from the charging ports,
    but avoid vigorous shaking as this could further spread the liquid inside.
  5. Remove the SIM card.
  6. Use a compressed aerosol air duster to blow the water out if you have one. Avoid using a hot blow dryer as the heat can wreck the rubber seals and damage the screen.
  7. Dry out the phone (and especially the ports) in front of a fan.
  8. Leave your phone in an airtight container full of silica gel packets (those small packets you get inside new shoes and bags), or another drying agent. These help absorb the moisture.
  9. Do not charge the phone until you are certain it’s dry. Charging a device with liquid still inside it, or in the ports, can cause further damage. Apple suggests waiting at least five hours once a phone appears dry before charging it (or until the alert disappears).

If the above steps don’t help and you’re still stuck with a seemingly dead device, don’t try opening the phone yourself. You’re better off taking it to a professional.




Read more:
Upgrade rage: why you may have to buy a new device whether you want to or not


The Conversation


Ritesh Chugh, Senior Lecturer – Information Systems and Analysis, CQUniversity Australia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

By persisting with COVIDSafe, Australia risks missing out on globally trusted contact tracing


Ritesh Chugh, CQUniversity Australia

Australia has ruled out abandoning the government’s COVIDSafe contact tracing app in favour of the rival “Gapple” model developed by Google and Apple, which is gaining widespread support around the world. Deputy Chief Medical Officer Nick Coatsworth told The Project the COVIDSafe app was “a great platform”.

In the two months since its launch, COVIDSafe has been downloaded just over 6.4 million times – well short of the government’s target of 40% of the Australian population.

Its adoption was plagued by privacy, security and backwards compatibility concerns, and further exacerbated by excessive battery consumption. And despite being described as a vital tool in the response to COVID-19, it is reportedly yet to identify a single infection that hadn’t already been tracked down by manual contact tracing.




Read more:
False positives, false negatives: it’s hard to say if the COVIDSafe app can overcome its shortcomings


It seems the app has failed to win the public’s trust. Software downloads are based on the perceptions of risk and anticipated benefits. In this scenario, the risks appear to outweigh the benefits, despite the dangers of a second coronavirus wave taking hold in our second most populous city.

COVID-19 cases in Melbourne continue to surge. But more broadly, the relatively low number of overall cases in Australia and the lack of adequate buy-in among the public make it difficult for COVIDSafe to make a meaningful contribution.

Is there another way?

Some 91% of Australians have a smartphone, whereas a rough calculation based on the 6.4 million downloads suggests only 28% have downloaded COVIDSafe.

For digital contact tracing to be effective, an uptake of around 60% of the population has been suggested – well beyond even the 40% target which COVIDSafe failed to hit.

The logic is straightforward: we need a system that 60% of people are willing and able to use. And such a system already exists.

Tech giants Apple and Google have collaboratively developed their own contact-tracing technology, dubbed the “Gapple” model.

How does Gapple work?

Gapple is not an app itself, but a framework that provides Bluetooth-based functionality by which contact tracing can work. Crucially, it has several features that lend it more privacy than COVIDSafe.

In simple terms, it allows Android and iOS (Apple) devices to communicate with one another using existing apps from health authorities, using a contact-tracing system built into the phones’ operating systems.

The system offers an opt-in exposure notification system that can alert users if they have been in close promixity to someone diagnosed with COVID-19.

Gapple’s exposure notification system.

Gapple’s decentralised exposure notification system offers more privacy and security than many other contact-tracing technologies, because:

  • it does not collect or track device location

  • data is collected on the users’ phones rather than a centralised server

  • it does not share users’ identities with other people, Apple or Google

  • health authorities do not have direct access to the data

  • users can continue to use the public health authority’s app without opting into the Gapple exposure notifications, and can turn the notification system off if they change their mind.

The system meets many of the basic principles of the American Civil Liberties Union’s criteria for technology-assisted contact tracing. And its exposure notification settings appear in recent updates of both Android and iOS devices. But without an app that uses the Gapple framework, the exposure notification system cannot be used.

COVID-19 Exposure Notification System.

Gapple going global

Global support for the Gapple model is growing. The United Kingdom, many parts of the United States, Switzerland, Latvia, Italy, Canada and Germany are abandoning their native contact-tracing technologies in favour of a model that could achieve much more widespread adoption worldwide.

The ease of communication between different devices will also make Gapple a crucial part of international contact tracing once borders are reopened in the future, and people start to travel.

In this light, it is hard to see why Australia resisted the calls to ditch COVIDSafe and adopt the Gapple model.

Can Australians use Gapple anyway?

No, they can’t, because the Gapple model requires users to download a native app from their region’s public health authority which uses the Gapple exposure notification system. Australia’s decision means that won’t be happening here any time soon.

In grappling with the dilemma between citizens’ civil rights and curbing the growth of the fatal COVID-19 virus, the Gapple model is a trade-off to encourage higher uptake of contact-tracing technologies.




Read more:
70% of people surveyed said they’d download a coronavirus app. Only 44% did. Why the gap?


Ultimately, the Gapple model will be a step forward in the world’s fight against COVID-19, because it will encourage significant numbers of people to use it.

The decision to persist with the COVIDSafe app, rather than adopting an emerging global model, could have severe repercussions for Australians. For any digital contact-tracing technology to work effectively, a large number of people must use it, and COVIDSafe has fallen short of that basic requirement.The Conversation

Ritesh Chugh, Senior Lecturer/Discipline Lead – Information Systems and Analysis, CQUniversity Australia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

False positives, false negatives: it’s hard to say if the COVIDSafe app can overcome its shortcomings



Shutterstock

Dinesh Kumar, RMIT University and Pj Radcliffe, RMIT University

The Australian government’s contact-tracing app, COVIDSafe, has been touted as crucial for restarting the country’s economy and curbing COVID-19’s spread.

But until more data are collected, it’s hard to estimate how effective the app will be. Nonetheless, there are some predictable situations in which COVIDSafe’s design may mean it will struggle to fulfil its purpose.

False positives

COVIDSafe uses Bluetooth to digitally “trace” people with whom a user has come into contact, with the aim of alerting anyone who has interacted with a confirmed COVID-19 case. But this technology carries a risk of “false positives”, wherein a user may be falsely alerted despite not actually having come into contact with the virus.

This is because Bluetooth radio waves pass through walls and glass. They can only measure how physically close two people are; they can’t tell whether those people are in the same room, in different rooms, or even in different cars passing each other.

In a high-density apartment building, depending on the strength of Bluetooth signals, it’s possible COVIDSafe could falsely alert plenty of people.




Read more:
As coronavirus forces us to keep our distance, city density matters less than internal density


The Department of Health has acknowledged this complication, saying:

If this happens and one of the contacts is identified as having coronavirus, state and territory health officials will talk to the people to work out if this was a legitimate contact or not.

Nonetheless, this process may cause unnecessary distress, and could also have negative flow-on effects on the economy by keeping people home unnecessarily. False positives could also erode public trust in the app’s effectiveness.

False negatives

On the other side of the coin, COVIDSafe also has the potential for “false negatives”. Simply, it will not identify non-human-to-human transmission of the virus.

We know COVID-19 can survive on different surfaces for various periods of time. COVIDSafe would not be able to alert people exposed to the virus via a solid surface, such as a shopping trolley or elevator button, if the person who contaminated that surface had already left the scene.

COVIDSafe is also not helpful in the case of users who become infected with COVID-19 but remain asymptomatic. Such a person may never get tested and upload their contact data to the app’s central data store, but may still be able to pass the virus to those around them. More data is needed on asymptomatic transmission.




Read more:
Why do some people with coronavirus get symptoms while others don’t?


And regarding the decision to classify “close contacts” as people who have been within a 1.5m distance for 15 minutes – this may have been based on research from Japan for when people are in an open space, and the air is moving.

However, this research also showed micro-droplets remained suspended in the air for 20 minutes in enclosed spaces. Thus, the 1.5m for 15 minutes rule may be questionable for indoor settings.

Downloads vs usage

Recently, Iceland’s contact tracing app achieved the highest penetration of any such app in the world, with almost 40% of the population opting in. But Icelandic Police Service detective inspector Gestur Pálmason – who has overseen contact tracing efforts – said while it was useful in a few cases, the app “wasn’t a game-changer”.

Australia’s Prime Minister Scott Morrison has said on multiple occasions COVIDSafe requires a 40% uptake to be effective.

Since then, federal health minister Greg Hunt has said there’s “no magic figure, but every set of people that download will make it easier and help”. This was echoed more recently by Department of Health acting secretary Caroline Edwards, who told a Senate committee there was no specific uptake goal within her team.

Past modelling revealed infection could be controlled if more than 70% of the population were taking the necessary precautions. It’s unclear what science (if any) was forming the basis of Australia’s initial 40% uptake goal for COVIDSafe.

This goal is also lower than proposed figures from other experts around the world, who have suggested goals varying from 50-70%, and 80% for UK smartphone owners. But the fact is, these figures are estimates and are difficult to test for accuracy.

A survey conducted by University of Sydney researchers suggested in Sydney and Melbourne, COVIDSafe’s uptake could already be at 40% – but lower in other places.
Shutterstock



Read more:
In some places 40% of us may have downloaded COVIDSafe. Here’s why the government should share what it knows


Demographic bias

There are many other uncertainties about COVIDSafe’s effectiveness.

We lack data on whether the app is actually being downloaded by those most at risk. This may include:

We also know COVIDSafe doesn’t work properly on iPhones and some older model mobile phones. And older devices are more likely to be owned by those who are elderly, or less financially privileged.

What’s more, COVIDSafe can’t fulfil its contact tracing potential until it’s downloaded by a critical mass of people who have already contracted the virus. At this stage, the more people infected with COVID-19 that download the app, the better.

A tough nut to crack

Implementing a contact tracing app is a difficult task for our leaders and medical experts. This is because much remains unknown about the COVID-19 virus, and how people will continue to respond to rules as restrictions lift around the country.

Predictions of the disease’s spread have also shown a lot of variation.

Thus, there are many unknowns making it impossible to predict the outcome. The important thing is for people to not start taking risks just because they’ve downloaded COVIDSafe.

And while the government pushes for more downloads and reopening the economy, ongoing reviews will be crucial to improving the app’s functionality.The Conversation

Dinesh Kumar, Professor, Electrical and Biomedical Engineering, RMIT University and Pj Radcliffe, Senior Lecturer, Electrical and Computer Engineering, RMIT University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

In some places 40% of us may have downloaded COVIDSafe. Here’s why the government should share what it knows


Robert Slonim, University of Sydney

It’s 18 days since the government launched its digital contact-tracing app COVIDSafe. The latest figure we have for downloads is 5.4 million, on May 8, about 29% of smartphone users aged 14 and over.

My own mini-survey suggests that in Sydney and Melbourne the takeup could already be 40% – a figure the government has mentioned as a target – while in other places it is much lower.

Oddly, it’s information the government isn’t sharing with us.


Total number of COVIDSafe app users (millions)


Endorse COVIDSafe

The importance of downloading and using the app is growing day by day as we relax restrictions. We are able to see what has happened in countries such as South Korea that have relaxed restrictions and then experienced a second wave.

5.4 million Australians after 13 days is a promising start.

As can be seen in the above graph produced by my colleague Demetris Christodoulou and me, 5.4 million downloads represents about 28.7% of Australians with smartphones.




Read more:
Chief Medical Officer Brendan Murphy predicts more than 50% take-up of COVID tracing app


It compares favourably to the 22.4% of Singaporeans with smartphones who downloaded their app within 13 days of its launch.

But the government is only making public a single figure indicating “total” downloads. It would be far more useful if it provided disaggregated community, city and state level data, and below, I attempt to fill the breach.

Letting us know more about which communities are downloading the app would help with health, motivation and transparency.

Health

Knowledge about potentially-dramatic variations in where the app was being downloaded could help guide policy.

Hypothetically speaking, if 70% of Melbourne’s smartphone users had downloaded the app but only 20% of Adelaide’s users, this could have distinct implications for the ability to successfully trace COVID-19 outbreaks in the respective cities and for the right amount of easing of restrictions in each city.

It could also help residents of those cities make more informed decisions about their own safety, such as whether and how to shop and whether to wear a mask.

Motivation

While COVIDSafe originally generated more than 500,000 daily downloads, the number has fallen to less than 100,000, suggesting that new efforts to motivate more downloads is urgently needed.

Providing geographical details could energise downloads in three ways.

First, people often feel enormous pride when their community steps up to help others. Knowing how well the community is doing is likely to motivate more people to help.




Read more:
COVIDSafe tracking app reviewed: the government delivers on data security, but other issues remain


Second, knowing how well other communities are doing can be a powerful incentive to catch up; few people want to be in the community that isn’t doing its part.

Third, if state leaders make decisions about relaxing restrictions partly on the basis of local downloads, community members will see a direct connection between downloading the app and the freedoms that will be available to them.

Transparency

The government’s appeal to download the app is built around trust.

It has asked us to trust it by downloading the app. In return it should trust us with better information.

People in Adelaide, Alice Springs, Brisbane, Cairns, Canberra, Darwin, Geelong, the Gold Coast, Hobart, Launceston, Melbourne, Newcastle, Perth, Sydney, Townsville, Wollongong, rural communities and other places deserve access to information the government already has that could help them make better choices.

The sort of data authorities are keeping to themselves

Given the lack of transparency to date, I conducted my own online survey among 876 residents of Sydney, Melbourne and regional communities with less than 50,000 people.

My survey results, run with a sample of people using the online survey platform PureProfile, indicate the proportion of people who had downloaded the app by May 11 was 50.5% in Sydney, 44.0% in Melbourne and 36.1% in less populated communities.

Controlling for age and gender, there was no significant difference between downloads in Sydney and Melbourne. Both were significantly higher than rural communities.




Read more:
Contact tracing apps: a behavioural economist’s guide to improving uptake


Restricting the responses to people who have a mobile phone that is capable of downloading the app, the proportion of downloads increases to 53.8% in Sydney, 47.8% in Melbourne and 41.2% in less populated communities. An extra 7.2%, 6.9% and 5.7% of respondents said they would either definitely or probably download the app in the next week.

This survey evidence indicates that there are stark regional differences in the downloads, and that although the national level of downloads is about 29%, some locations such as Sydney and Melbourne may have already surpassed (or will soon supass) the 40% government stated target.

Of course the government shouldn’t rely these survey results, because it’s got the actual information. It is time it shared the detailed download information it has with us, both to reciprocate our trust and let us make more informed decisions.The Conversation

Robert Slonim, Professor of Economics, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

70% of people surveyed said they’d download a coronavirus app. Only 44% did. Why the gap?



Shutterstock

Simon J Dennis, University of Melbourne; Amy Perfors, UCLA School of Medicine; Daniel R. Little, University of Melbourne; Joshua P. White, University of Melbourne; Lewis Mitchell, University of Adelaide; Nic Geard, University of Melbourne; Paul M. Garrett, University of Melbourne, and Stephan Lewandowsky, University of Bristol

In late March, we posed a hypothetical scenario to a sample of Australians, asking if they would download a contact tracing app released by the federal government; 70% responded in favour.

But a more recent survey, following the release of COVIDSafe, revealed only 44% of respondents had downloaded it.

The Australian government’s COVIDSafe app aims to help reduce the spread of COVID-19 and let us all return to normal life. But this promise depends on how many Australians download and use the app. The minimum required uptake has been variously estimated at 40-60% of the population.

Our ongoing research, led by the Complex Human Data Hub of the University of Melbourne’s School of Psychological Sciences, surveyed the Australian public to understand their opinions and use of the COVIDSafe app, and other possible government tracking technologies.

Our research is helping us understand the conditions under which Australians will accept these technologies, and what’s holding them back.

Is there community support for COVIDSafe?

COVIDSafe uses Bluetooth to establish an anonymous contact registry of who a user has been close to, and for how long. If that user tests positive for COVID-19, they can voluntarily upload their contact registry to a central data store accessible only by state and territory health officials. Human contact tracers then alert those at risk and advise them on appropriate isolation measures.




Read more:
Explainer: what is contact tracing and how does it help limit the coronavirus spread?


Gaining broad community support for COVIDsafe requires the app’s perceived public health benefits to outweigh concerns of personal privacy, security and potential risk of harm.

As of May 7, from a sample of 536 survey participants, 44% reported having downloaded the COVIDSafe app. Promisingly, another 17% said they had not, but planned to.

We also asked all our respondents what technology they thought COVIDSafe used. Only 60% correctly responded with “Bluetooth”. Others responded with “location data” (19%), “mobile phone towers” (5%), or that they did not know (16%). This breakdown differed between people who had downloaded the app and those who had not, as shown below.

Why are people opting in?

For those who downloaded COVIDSafe, most reported doing so to monitor others’ health (28%), their own health (19%), and in the hope of returning to normal activities sooner (18%). The least motivating factor was “to help the economy” (14%).

Most people who had not downloaded the app said they were weighing the pros and cons (22%), had not had time (19%) or had technical issues (12%). A small number were waiting for legislation that stipulated how the data could be used (6%).

This may be good news for the government, as many of these reasons are relatively straightforward to address.

Of those who reported they would not download the app, privacy was the main concern (31%).




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Downloads does not equal usage

Whether those who download COVIDSafe are using it properly will largely determine its effectiveness.

Of those who had downloaded COVIDSafe, 90% said they had registered and kept Bluetooth switched on either at all times (77%) or when they left home (15%). Also, 58% said they had tried to share the app with others – helping to increase the rate of uptake.

Yet, there remains some doubt as to whether turning Bluetooth on is sufficient for the app to work productively on iPhones.
According to app developers, COVIDSafe works best on iPhones when the app is open, on the front screen (foreground), and the phone is unlocked.

But since these iPhone-related issues can be fixed (albeit potentially with some level of difficulty), it would be worthwhile for the government to invest in this.

International comparisons

Before the release of COVIDSafe, our research also tracked social support for similar apps and tracking technologies in other countries, including the UK, US, Taiwan and Germany.

We asked respondents about two hypothetical scenarios of government tracking.

The first scenario was similar to Australia’s COVIDSafe app rollout. In it, people were asked to download a voluntary government tracking app allowing them to be contacted if they had been exposed to COVID-19. In this scenario, 70% of our respondents said they would download the app.

The second scenario was less voluntary, wherein all people with a mobile phone had their location tracked. Governments would use the data to trace contacts, locate people who were violating lockdown orders and enforce restrictions with fines and arrests, if necessary. Interestingly, in this scenario even more people (79%) said they would download the app. If people could opt out, 92% indicated they would support the policy.

Importantly, these scenarios were completely hypothetical at the time, which may account for the intention-behaviour gap. That is, the gap between people’s values and attitudes, and their actual actions.

So, while 70% of people in our first survey said they would download a hypothetical government app, a later survey showed only 44% had actually downloaded COVIDSafe after its release.

This graphs shows the proportion of participants who indicated they would download a voluntary government app (in green), and who found mandatory tracking through telecommunications companies acceptable (purple) in Taiwan, Australia, UK, Germany, and the US under various situations. ‘Sunset’ refers to a sunset clause, in which governments legislate promises to stop tracking and delete the associated data within six months. ‘Local data storage’ refers to when tracking data is stored on a user’s device, rather than a central repository. This data was collected prior to the announcement of the COVIDSafe app.

Australians showed high levels of support for both scenarios, particularly in comparison to other western democracies, such as the UK and the US.

An evolving situation

Prime Minister Scott Morrison has repeatedly linked COVIDSafe’s uptake to a potential easing of lockdown restrictions. But more recently, federal defence minister Marise Payne said the app’s uptake wouldn’t be a deciding factor for when restrictions were lifted.

When asked if the government should use the app’s uptake levels to decide when restrictions should be lifted, only 51% of our survey participants responded “yes”.

Overall, our data show Australians are generally accepting of the use of government tracking technologies to combat the COVID-19 emergency. However, only time will tell how this translates to real-world uptake of the COVIDSafe app.

Detailed results of the survey data from Australia, as well as the UK, US, Spain, Switzerland, Germany, and Taiwan, are continually being reported here.The Conversation

Simon J Dennis, Director of Complex Human Data Hub and Professor of Psychology, University of Melbourne; Amy Perfors, Associate Professor, UCLA School of Medicine; Daniel R. Little, Associate Professor in Mathematical Psychology, University of Melbourne; Joshua P. White, Research Assistant – Complex Human Data Hub, Melbourne School of Psychological Sciences, University of Melbourne; Lewis Mitchell, Senior Lecturer in Applied Mathematics, University of Adelaide; Nic Geard, Senior Lecturer, School of Computing and Information Systems, University of Melbourne; Senior Research Fellow, Doherty Institute for Infection and Immunity, University of Melbourne; Paul M. Garrett, Post Doctoral Research Fellow, University of Melbourne, and Stephan Lewandowsky, Chair of Cognitive Psychology, University of Bristol

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Contact tracing apps are vital tools in the fight against coronavirus. But who decides how they work?


Seth Lazar, Australian National University and Meru Sheel, Australian National University

Last week the head of Australia’s Digital Transformation Agency, Randall Brugeaud, told a Senate committee hearing an updated version of Australia’s COVIDSafe contact-tracing app would soon be released. That’s because the current version doesn’t work properly on Apple phones, which restrict background broadcasting of the Bluetooth signals used to tell when phones have been in close proximity.

For Apple to allow the app the Bluetooth access it requires to work properly, the new version will have to comply with a “privacy-preserving contact tracing” protocol designed by Apple and Google.

Unfortunately, the Apple/Google protocol supports a different (and untested) approach to contact tracing. It may do a better job of preserving privacy than the current COVIDSafe model, but has some public health costs.

And, importantly, the requirement to comply with this protocol takes weighty decisions away from a democratically elected government and puts them in the hands of tech companies.

A difficult transition

Both COVIDSafe and the new Apple/Google framework track exposure in roughly the same way. They broadcast a “digital handshake” to nearby phones, from which it’s possible to infer how close two users’ devices were, and for how long.

If the devices were closer than 1.5m for 15 minutes or more, that’s considered evidence of “close contact”. To stop the spread of COVID-19, the confirmed close contacts of people who test positive need to self-isolate.

The differences between COVIDSafe’s current approach and the planned Apple/Google framework are in the architecture of the two systems, and to whom they reveal sensitive information. COVIDSafe’s approach is “centralised” and uses a central database to collect some contact information, whereas Apple and Google’s protocol is completely “decentralised”. For the latter, notification of potential exposure to someone who has tested positive is carried out between users alone, with no need for a central database.




Read more:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy


This provides a significant privacy benefit: a central database would be a target for attackers, and could potentially be misused by law enforcement.

Protecting COVIDSafe’s central database, and ensuring “COVID App Data” is not misused has been the task of the draft legislation currently being considered. However, if the Apple/Google framework is adopted as planned, much of that legislation will become redundant, as there will be no centralised database to protect. Also, since data on users’ devices will be encrypted and inaccessible to health authorities, there’s no risk of it being misused.




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


For COVIDSafe to comply with the new Apple/Google framework, it would need to be completely rewritten, and the new app would most likely not be interoperable with the current version. This means we’d either have two systems running in parallel, or we’d have to ensure that everyone updates.

Less information for contact tracers

The Apple/Google approach strictly limits the amount of information shared with all parties, including traditional contact tracers.

When a user’s “risk score” exceeds a threshold the app will send them a pop-up. The only information revealed to the user and health authorities will be the date of exposure, its duration, and the strength of the Bluetooth signal at the time. The app would not reveal, to anyone, precisely when a potentially risky encounter occurred, or to whom the user was exposed.

This, again, has privacy benefits, but also public health costs. This kind of “exposure notification” (as Apple and Google call it, though proximity notification might be more accurate) can be used to supplement traditional contact tracing, but it can’t be integrated into it, because it doesn’t entrust contact tracers with sensitive information.

Benefits of traditional methods

As experts have already shown, duration and strength of Bluetooth signals is weak evidence of potentially risky exposure, and can result in both false positives and false negatives.

COVIDSafe’s current approach entrusts human contact tracers with more data than the Apple/Google framework allows – both when, and to whom, the at-risk person was exposed. This enables a more personalised risk assessment, with potentially fewer errors. Contact tracers can help people recall encounters they may otherwise forget, and provide context to information given by the app.

For example, the knowledge that a possible close contact happened when both parties were wearing personal protective equipment might help avoid a false positive. Similarly, learning that someone who tested positive had a close contact with a user, who was with friends who weren’t running the app at the time, might enable us to alert those friends, and so avoid a false negative.

In addition, just having the message come from a human rather than a pop-up might make people more likely to actually self-isolate; we only control the spread if we actually self-isolate when instructed. And, by providing all this data to public health authorities, COVIDSafe’s current approach also grants experts epidemiological insights into the disease.

The two approaches are also supported by different evidence. Apple and Google’s decentralised exposure notification method has never been tried in a pandemic, and is supported by evidence from simulations. However, app-enhanced contact tracing akin to what COVIDSafe does (except using GPS, not Bluetooth) was road-tested in the Ebola outbreak in West Africa, with promising (though inconclusive) results.

Who should decide?

So, should the Australian government comply with Apple and Google’s privacy “laws” and design a new app that’s different from COVIDSafe? Or should Apple update its operating system so COVIDSafe works effectively in the background? Perhaps more importantly, who should decide?

If Apple and Google’s approach achieved the same public health goals as COVIDSafe, but better protected privacy, then – sunk costs notwithstanding – Australia should design a new app to fit with their framework. As we’ve seen, though, the two approaches are genuinely different, with different public health benefits.

If COVIDSafe were likely to lead to violations of fundamental privacy rights, then Apple would be morally entitled to stick to their guns, and continue to restrict it from working in the background. But the current COVIDSafe draft legislation – while not perfect – adequately addresses concerns about how, and by whom, data is collected and accessed. And while COVIDSafe has security flaws, they can be fixed.




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Decisions on how to weigh values like privacy and public health should be based on vigorous public debate, and the best advice from experts in relevant fields. Disagreement is inevitable.

But in the end, the decision should be made by those we voted in, and can vote out if they get it wrong. It shouldn’t be in the hands of tech executives outside of the democratic process.The Conversation

Seth Lazar, Professor, Australian National University and Meru Sheel, Epidemiologist | Senior Research Fellow, Australian National University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

How safe is COVIDSafe? What you should know about the app’s issues, and Bluetooth-related risks



Shutterstock

James Jin Kang, Edith Cowan University and Paul Haskell-Dowland, Edith Cowan University

The Australian government’s COVIDSafe app has been up and running for almost a fortnight, with more than five million downloads.

Unfortunately, since its release many users – particularly those with iPhones – have been in the dark about how well the app works.

Digital Transformation Agency head Randall Brugeaud has now admitted the app’s effectiveness on iPhones “deteriorates and the quality of the connection is not as good” when the phone is locked, and the app is running in the background.

There has also been confusion regarding where user data is sent, how it’s stored, and who can access it.

Conflicts with other apps

Using Bluetooth, COVIDSafe collects anonymous IDs from others who are also using the app, assuming you come into range with them (and their smartphone) for a period of at least 15 minutes.

Bluetooth must be kept on at all times (or at least turned on when leaving home). But this setting is specifically advised against by the Office of the Australian Information Commissioner.

It’s likely COVIDSafe isn’t the only app that uses Bluetooth on your phone. So once you’ve enabled Bluetooth, other apps may start using it and collecting information without your knowledge.

Bluetooth is also energy-intensive, and can quickly drain phone batteries, especially if more than one app is using it. For this reason, some may be reluctant to opt in.

There have also been reports of conflicts with specialised medical devices. Diabetes Australia has received reports of users encountering problems using Bluetooth-enabled glucose monitors at the same time as the COVIDSafe app.

If this happens, the current advice from Diabetes Australia is to uninstall COVIDSafe until a solution is found.

Bluetooth can still track your location

Many apps require a Bluetooth connection and can track your location without actually using GPS.

Bluetooth “beacons” are progressively being deployed in public spaces – with one example in Melbourne supporting visually impaired shoppers. Some apps can use these to log locations you have visited or passed through. They can then transfer this information to their servers, often for marketing purposes.

To avoid apps using Bluetooth without your knowledge, you should deny Bluetooth permission for all apps in your phone’s settings, and then grant permissions individually.

If privacy is a priority, you should also read the privacy policy of all apps you download, so you know how they collect and use your information.

Issues with iPhones

The iPhone operating system (iOS), depending on the version, doesn’t allow COVIDSafe to work properly in the background. The only solution is to leave the app running in the foreground. And if your iPhone is locked, COVIDSafe may not be recording all the necessary data.

You can change your settings to stop your iPhone going into sleep mode. But this again will drain your battery more rapidly.

Brugeaud said older models of iPhones would also be less capable of picking up Bluetooth signals via the app.

It’s expected these issues will be fixed following the integration of contact tracing technology developed by Google and Apple, which Brugeaud said would be done within the next few weeks.




Read more:
The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change


Vulnerabilities to data interception

If a user tests positive for COVID-19 and consents to their data being uploaded, the information is then held by the federal government on an Amazon Web Services server in Australia.

Data from the app is stored on a user’s device and transmitted in an encrypted form to the server. Although it’s technically possible to intercept such communications, the data would still be encrypted and therefore offer little value to an attacker.

The government has said the data won’t be moved offshore or made accessible to US law enforcement. But various entities, including Australia’s Law Council, have said the privacy implications remain murky.

That said, it’s reassuring the Amazon data centre (based in Sydney) has achieved a very high level of security as verified by the Australian Cyber Security Centre.

Can the federal government access the data?

The federal government has said the app’s data will only be made available to state and territory health officials. This has been confirmed in a determination under the Biosecurity Act and is due to be implemented in law.

Federal health minister Greg Hunt said:

Not even a court order during an investigation of an alleged crime would be allowed to be used [to access the data].

Although the determination and proposed legislation clearly define the who and how of access to COVIDSafe data, past history indicates the government may not be best placed to look after our data.

It seems the government has gone to great lengths to promote the security and privacy of COVIDSafe. However, the government commissioned the development of the app, so someone will have the means to obtain the information stored within the system – the “keys” to the vault.

If the government did covertly obtain access to the data, it’s unlikely we would find out.

And while contact information stored on user devices is deleted on a 21-day rolling basis, the Department of Health has said data sent to Amazon’s server will “be destroyed at the end of the pandemic”. It’s unclear how such a date would be determined.

Ultimately, it comes down to trust – something which seems to be in short supply.




Read more:
The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy


The Conversation


James Jin Kang, Lecturer, Computig and Security, Edith Cowan University and Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.