COVID-19 Mobile AppDev Security & Privacy ChecklistPosted by David Weinstein
In this dire time, the world is grasping for critical healthcare solutions to fight COVID-19. Incredible people have stepped up to leverage technology in meaningful ways to benefit humanity. The current stay-at-home orders afford app developers precious time to build innovative solutions that can help speed the return to normalcy.
Because addressing asymptomatic carriers is critical to combating coronavirus, several apps focus on contact tracing, self-diagnosis of symptoms or general tracking of the pandemic. Even rivals Apple and Google are collaborating to provide a contact tracing technology framework to halt the spread of COVID-19 and accelerate the return of daily routines.
NowSecure wants to help do our part to help eradicate this global problem by assisting those who are building COVID-19 mobile apps for the general public. Our team offers free expert mobile app security reviews to any qualified app developer building a qualified pandemic-related mobile app for public use. Many at NowSecure actively volunteer significant time to these important initiatives and we’ve already lent a hand to verify that a few of these apps preserve the security and privacy of their intended users.
App builders entrust someone to use your application that will be collecting incredible swaths of sensitive information, which is both a noble and risky undertaking. Surveys conducted by early beta tests on these COVID-19 apps have surfaced user concerns about how the data will be used if they provide a positive test result. With great power in the form of collecting surveillance data comes great responsibility to safeguard it carefully.
Mobile App Architectural Issues to Consider
Thanks to our significant experience writing and testing the security of mobile applications, we’ve amassed a series of best practices that can guide the development of safe COVID-19 apps. (See our “Secure Mobile Development Best Practices” here.) What follows is a checklist of issues to consider as projects take shape.
- How will you uniquely identify users, such as by unique device IDs or by anonymized data? This will impact what you can do with the data, how you might notify users, and may create significant usability vs. security tradeoffs.
- What types of data will the app collect and will it address privacy? The information ingested that’s subject to the Health Insurance Portability and Accountability Act (HIPAA) or otherwise treated as Personally Identifiable Information (PII) in other environments will be considered to gain approval to Google Play and the App Store.
- How will you trust the data the app collects? Fake reporting is a major concern. For instance, consider Sybil attacks that could result in either denial-of-service attacks or otherwise create chaos due to false positive COVID self submissions. Consider using APIs such as DeviceCheck from Apple which could enable a feature such as only allowing a device to provide a COVID-19 positive test result uniquely per device or to rate-limit the number of times a positive result can be submitted.
- Is GPS data accurate enough for your use case? Uber has done some really interesting work in this area. Consider that this type of data can be spoofed by devices or via API requests.
- Will the app require Bluetooth communication for accuracy? (See the GPS vs Bluetooth for Contact Tracing discussion from the CoronaTrace project.)
- Will you geofence features to limit when data is being collected?
- What level of confidence do you have in the algorithms used to determine whether two parties were close in time and space?
- Should you obfuscate the application binary? If so, does that reduce the trust in what your application does with the data?
- How will you manage access to cloud resources? Many COVID initiatives that are spun up by volunteers are moving quickly and ramping up contributors. For example, one project we are working on has doubled in the last week alone to more than 500 volunteers. How will these people be vetted before being granted access to a back-end database or APIs? What’s more, how will cloud resources be allocated and managed and who will have access to the data?
- How will third-party dependencies be tracked and used throughout the projects?
- How will the app handle authentication to data collection endpoints?
- What type of app will you build, a mobile app or a mobile + web app?
- What development technologies will you select? For instance, are you going to use a cross-platform toolkit such as React Native, Cordova, or go with a native app?
How will you manage risk and balance the tradeoff between mobile app security and usability?
NowSecure recommends incorporating automated mobile application security testing into the development process to speed release of these important apps and achieve breadth of coverage. In addition, manual penetration tests and architectural reviews can test with an eye toward specific design goals of the apps being developed. Once again, if you’re developing a COVID-19 app for public use, we’re eager to help secure your app to further the mission of fighting the pandemic.