Cryptology ePrint Archive: Report 2020/428

Security Analysis of the COVID-19 Contact Tracing Specifications by Apple Inc. and Google Inc.

Yaron Gvili

Abstract: In a joint effort to fight the COVID-19 pandemic, Apple Inc. and Google Inc. recently partnered to develop a contact tracing technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design. The partnership announcement included technical specifications of the planned technology, which has great potential for widespread adoption due to the global reach of the two companies. In this report, we provide a security analysis of these specifications. We show that the current specifications may introduce significant risks to society and propose mitigation strategies for these risks that do not require major changes to the technology and are easy to adopt. Surprisingly, our mitigation strategies do not use challenge-response protocols nor a public key infrastructure, often used to thwart common attacks. Our analysis focuses mostly on system security considerations yet also includes information security considerations. We leave out of scope a discussion on how important or effective the technology is in fighting the pandemic.

Category / Keywords: applications / COVID-19, Contact Tracing, System Security, Information Security

Date: received 14 Apr 2020, last revised 24 Apr 2020

Contact author: cryptomniumllc at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200424:152241 (All versions of this report)

Short URL: ia.cr/2020/428


[ Cryptology ePrint archive ]