Expert finds tracking bugs in the COVIDSafe app that could leave domestic violence victims open to being followed
- Tracking bugs have been found in the government's COVIDSafe tracing app
- Software developer Jim Mussared discovered the bugs on Android phones
- He said the bug could pose a danger to those at risk of domestic violence
- Vulnerable people shouldn't bring their phone anywhere they want kept secret
- More than 5.1 million Australians have downloaded the COVIDSafe phone app
Tracking bugs have been found in the COVIDSafe tracing app on Android phones - with experts warning it could lead to domestic violence victims being followed.
Jim Mussared, the software developer who discovered the bugs, said the trackers could pose a danger to those at risk of domestic violence.
'If you're in any way in a vulnerable situation for which long-term, multi-day device tracking could be a major threat, do not install the app,' he said.
For iPhones, he says while the problems that open up potential tracking aren't there, COVIDSafe doesn't reliably work unless the app is actively in use.
His advice is similar to that given by WESNET, an organisation that offers technology safety advice for domestic violence victims.
Jim Mussared, the software developer who discovered the bugs, said the bug could pose a danger to those at risk of domestic violence
People whose abusers have sophisticated technical abilities should think about their specific personal circumstances before downloading the app
It says people whose abusers have sophisticated technical abilities should think about their specific personal circumstances before downloading the app.
WESNET suggests if they do install it, they should consider leaving their phone behind during any meetings they might want to keep secret.
The first issue Mr Mussared found in the Android app relates to the way an anonymous ID is requested from the server every two hours and could result in a phone being allocated the same identifier for days on end.
A second, similar problem relates to unique information Android phones send out even if the temporary ID changes.
He's also found two other issues about information the phone sends that he believes should be disclosed in the privacy policy.
Share this article
He discussed the bugs with the government agency in charge of the COVIDSafe app on Monday, more than a week after he first found and reported them.
'I just want this app fixed. I haven't slept for eight days, right, I've worked tirelessly to get attention to these issues,' he said.
'I'm not out there to try and facilitate people doing creepy things.'
The government says some five million Australians have downloaded the app, about a third of the adult population it is urging to do so.
More than 5.1 million people have downloaded and registered on the COVIDSafe mobile phone app since it was released on April 26.
Government officials have conceded the performance of their coronavirus contact tracing software is 'highly variable' but insist it will still help health authorities.
Over the past week, the tech community has examined the app's code and have identified a number of functional and privacy issues.
WESNET suggests if they do install it, they should consider leaving their phone behind during any meetings they might want to keep secret
Digital Transformation Agency head Randall Brugeaud told senators on Wednesday the app was being 'constantly improved'.
But he said suggestions the app did not work on locked iPhones was not his agency's experience.
Rather, performance 'progressively deteriorates' when the phone is locked and the app is running in the background.
'I cannot provide a view that the app will work 100 per cent of the time with all handsets where the devices are locked,' he told a Senate committee hearing.
'There will be circumstances where the app does not capture a Bluetooth handshake.'
These issues only related to iPhones.
