当前位置: X-MOL 学术Empir. Software Eng. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps
Empirical Software Engineering ( IF 4.1 ) Pub Date : 2021-03-19 , DOI: 10.1007/s10664-020-09934-4
Majid Hatamian 1 , Samuel Wairimu 2 , Nurul Momen 2, 3 , Lothar Fritsch 2
Affiliation  

As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents.



中文翻译:

早期部署的 COVID-19 接触者追踪 Android 应用的隐私和安全分析

在起草本文时,SARS-CoV-2/COVID-19 大流行正在全球范围内造成伤害和破坏。许多国家旨在通过使用数字接触者追踪应用程序来支持他们的接触者追踪者,以管理和控制病毒的传播。他们的想法是自动注册智能手机所有者之间的会议,以更快地处理感染链。迄今为止,有许多联系人追踪应用程序已在 2020 年推出和使用。关于这些应用程序的隐私和安全方面以及它们可能违反数据保护原则的猜测很多。因此,这些应用程序的开发者因破坏用户隐私,忽视基本的隐私和安全要求而不断受到批评,在时间压力下开发应用程序,而不考虑隐私和安全设计。在这项研究中,我们从多个角度分析了 Android 平台上 28 款联系人追踪应用的隐私和安全性能,包括它们的代码权限、隐私政策中的承诺以及静态和动态性能。我们的方法基于收集有关这 28 个应用程序的各种类型的数据,即权限请求、隐私政策文本、运行时资源访问和现有安全漏洞。基于对这些数据的分析,我们量化和评估这些应用程序对用户隐私的影响。我们的目标是对已在多个大洲部署的最早的接触者追踪应用程序进行快速和系统的检查。我们的调查结果表明,这些应用程序的开发人员需要采取更多谨慎措施来确保代码质量并解决安全和隐私漏洞。他们应该更加自觉地遵守有关应用程序许可声明、隐私原则和隐私政策内容的法律要求。

更新日期:2021-03-21
down
wechat
bug