EU investigating the possibility of misuse in COVID-19 application interfaces - Use of the Koronavilkku contact tracing app still secure

Publication date 29 Apr 2021

The EU is investigating a potential security vulnerability in COVID-19 contact tracing applications on Android phones using Google's built interface and Google Play services. So far, no incidence of interface misuse has been discovered. The Koronavilkku contact tracing app used in Finland also uses the interface in question. 

"The Koronavilkku contact tracing app can still be used safely. To our knowledge there has been no misuse of the contact tracing app here in Finland or those used in other countries. The EU is investigating a potential security gap in cooperation with Google,” explains Director of Information Services at the Finnish Institute for Health and Welfare (THL) Aleksi Yrttiaho

The problem concerns random ID codes

The investigation started when a US security company report drew attention to the fact that, on Google phones, random ID codes exchanged by contact tracing applications are stored in the secure system log of the phone in addition to the EN interface used by the application.

According to the interface specifications, random codes would not be stored anywhere but on the interface for 14 days. EU countries have demanded that Google rectify this situation immediately. 

In Finland, the risks associated with the interface were discussed in connection with both the implementation of the Koronavilkku contact tracing app and the evaluation of the National Cyber Security Centre in August 2020. At that time, a potential security gap was discovered and the Koronavilkku team pointed this out to Google. 

The Finnish Institute for Health and Welfare and the National Cyber Security Centre considered that the risks identified were so unlikely that they could be accepted.  

Misuse is unlikely  

The Koronavilkku contact tracing app uses an Apple and Google EN interface to monitor exposures. The interface sends and receives random ID codes between phones.  

Random ID codes are anonymous and change every 10-20 minutes. Because the user of the application cannot be identified from a single code, disclosure of the codes is not, in and of itself, a security threat. If codes are collected from several devices and combined with other data, it is theoretically possible that the user’s identity could be revealed.  

Ordinary users and applications do not have access to the secure system log where passcodes are stored on Google phones. Some pre-installed programs from phone manufacturers may see the content of the log and could possibly also reveal the content in the event of a fault. However, this is extremely rare.   

Further information:  

Aleksi Yrttiaho
Director of Information Services
Finnish Institute for Health and Welfare
[email protected]
Infektiotaudit ja rokotukset Main site Tiedonhallinta sosiaali- ja terveysalalla kanta - thlfi-en korona - thlfi-en koronavilkku - thlfi-en koronavirus - thlfi-en