Vulnerability detected in Covid applications on Android phones has been fixed – no violations have been discovered

A potential security vulnerability detected in COVID-19 contact tracing applications on Android phones has been fixed. Google announced the fix on 26 April, after which it was updated on people’s phones. The Koronavilkku application uses the Google interface as well. 

An investigation of a potential security vulnerability was initiated at the end of April when a US security company discovered that the Google interface used by Covid applications stored the random ID codes exchanged by phones in the secure phone system log. These ID codes should not be stored anywhere else than the EN interface used by the application for a period of 14 days. EU countries demanded that Google rectify the situation immediately. 

The possible security gap related to the interface was also discovered in Finland, and the Koronavilkku working group pointed it out to Google already on 17 August 2020. The Finnish Institute for Health and Welfare and the National Cyber Security Centre considered that the risks identified were so unlikely that they could be accepted. The random ID codes that were affected by the vulnerability are anonymous and change every 10 to 20 minutes. The application uses these codes to monitor exposure. Any application user cannot be identified from a single code. 

Regular users and applications have not had access to the secure system log where the ID codes are stored. If codes had been collected from several devices and combined with other data, it would have been theoretically possible to reveal a user’s identity. However, there is no known indication that the potential security gap would have been exploited in any situation. 

More information:  

Aleksi Yrttiaho
Director of Information Services
Finnish Institute for Health and Welfare
[email protected]