We are writing a review on the two tracing apps / systems that the Philippine Government are using and mandating LGUs to use. These are Stay Safe and COVID-KAYA. Stay Safe was done Multisys and is being positioned as the official tracing app for IATF / NTF while COVID-KAYA is the official system being used by the Department of Health (DOH) and World Health Organization (WHO). We run Exodus a Privacy App that analyzes the permission of the application in Play Store. These permission are libraries that a developer access and use, the permission is then logged on a file which we call manifest.xml prior to submission to the app store for publishing.
Below are the screenshots for both Stay Safe and COVID-Kaya.
As we can see above the COVID-KAYA has 42 Permisssion and Stay Safe has 16 Permission and 1 Tracker since we are assuming that the database of Stay Safe is using Google Firebase. Permission are not really bad but we as citizen need to ask why are these apps collecting, using and accessing the libraries:
- Camera – take pictures and videos without confirmation
- Modify System Settings – allows the app to modify systems settings of data. Malicious apps may corrupt system configuration
- Read Contacts – allows the app to read data about your contacts stored on your phone, including the frequency with which you have called, emailed or communicated. This permission allows apps to save your contact data and malicious apps may share contact data without your knowledge
- Write Contacts – allows the app to modify data about your contacts stored on your phone, this permission allows apps to delete contact data
- Get Accounts – allows apps to get the list of accounts known by the phone, this may include any accounts created by applications you have installed.
- Access Coarse Location (Network Based) – allows the app to get your approximate location, this location is derived by location services using network location sources such as cell towers and WiFi
- Access Fine Location (GPS) – allows the app to get precise location using Global Positioning System
- Bluetooth – automatic pairing
- Record Audio – allows the app to record audio
- Read Phone State – allows the app to access the phone state if you are calling someone. This permission allows the app to determine phone number and device id
- Read External Storage – allows the app to read data on SD Card is any
As we stated above we mentioned the types of permission these two applications are using and accessing and we as privacy and security practitioners are concerned on why do they need:
- Camera – a tracing app doesn’t need any camera since the tracing is being done on the background using bluetooth and other high frequency
- Modify System Settings – why are they modifying system settings this may be a borderline Malware
- Read Contacts – Why do they need to read my contact details? The Personal Information on the contacts are sensitive enough if this is breached. We know for a fact that the National Privacy Commission has filed cases on lending apps in 2019 because of this scenario
- Write Contacts – This permission should not be touched by the tracing application because they might modify and delete contacts that may even result to identity theft
- Get Accounts – we don’t understand this? Why do they need to access other accounts that was created by different application on the phone?
- Access Coarse Location (Network Based) – Is this even part of the privacy notice that they can triangulate the location on the cell towers?
- Access Fine Location (GPS) – maybe we can ask what model are they using – centralised or decentralised approach
- Bluetooth – automatic pairing – this acceptable in order to do contact tracing
- Record Audio – Are these apps eavesdropping? This may result to wiretapping that needs a warrant before it is permitted
- Read Phone State – Why do they need to monitor if a person is calling?
- Read External Storage – and lastly why do they need to read my data on my SD Card?
These are just some questions that we as citizens need to ask….