The rapid spread of COVID-19 has made traditional manual contact tracing to identify potential persons in close physical proximity to an known infected person challenging. Hence, a number of public health authorities have experimented with automated contact tracing apps. While the global deployment of contact tracing apps aims to protect the health of citizens, these apps have raised security and privacy concerns. In this paper, we assess the security and privacy of 34 exemplar contact tracing apps using three methodologies: (i) evaluate the design paradigms and the privacy protections provided; (ii) static analysis to discover potential vulnerabilities and data flows to identify potential leaks of private data; and (iii) evaluate the robustness of privacy protection approaches. Based on the results, we propose a venue-access-based contact tracing solution, VenueTrace, which preserves user privacy while enabling proximity contact tracing. We hope that our systematic assessment results and concrete recommendations can contribute to the development and deployment of applications against COVID-19 and help governments and application development industry build secure and privacy-preserving contract tracing applications.

中文翻译：

---

审查全球 COVID-19 联系人追踪应用程序的安全性和隐私

COVID-19 的快速传播使得传统的手动接触者追踪来识别与已知感染者有密切身体接触的潜在人员具有挑战性。因此，许多公共卫生当局已经试验了自动接触者追踪应用程序。虽然接触者追踪应用程序的全球部署旨在保护公民的健康，但这些应用程序引发了安全和隐私问题。在本文中，我们使用三种方法评估了 34 个示例联系人跟踪应用程序的安全性和隐私：（i）评估设计范式和提供的隐私保护；(ii) 静态分析以发现潜在漏洞和数据流，以识别私人数据的潜在泄漏；(iii) 评估隐私保护方法的稳健性。根据结果​​，我们提出了一种基于场所访问的联系人跟踪解决方案 VenueTrace，它可以在启用近距离接触跟踪的同时保护用户隐私。我们希望我们系统的评估结果和具体的建议能够为针对 COVID-19 的应用程序的开发和部署做出贡献，并帮助政府和应用程序开发行业构建安全和隐私保护的合同追踪应用程序。