The Digital Transformation Agency (DTA) released the source code for the coronavirus tracing app, COVIDSafe, on Git Hub last week to little fanfare.
“Prior to launching the application, the source code was reviewed by government security agencies, academics and industry specialists,” the DTA said.
“We are releasing the app code, but to ensure the privacy of individuals and integrity of the overall system, the code that relates to the COVIDSafe National Information Storage System will not be released.”
Given that the app was decompiled by developers and curious techies within hours of its release in late April, some people are calling for even more government transparency and collaboration.
Cryptographer and CEO of Thinking Cybersecurity, Vanessa Teague, wants to see the government release the app’s server-side code to better understand how secure the app’s encryption methodology.
“We need to see the server code, and read some justification of the design decisions, so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change,” Teague said on Twitter.
That's a nice start, but I only see the app code. If we can't see the #COVIDSafeApp server code too, we don't even know what's in the encrypted messages we're sending. https://t.co/7IHgPK9lyt
— Vanessa Teague (@VTeagueAus) May 8, 2020
Work together
While there have been healthy amounts of online discussion about the technical details of COVIDSafe since its release, the government’s approach to collaboration leaves much to be desired.
The DTA archived the app’s GitHub repositories, making them read-only and leaving developers to put their suggested bug fixes in different public forks.
Instead of working on GitHub, the DTA prefers people to provide feedback by emailing support@covidsafe.gov.au.
Developer Geoffrey Huntley has been highly critical of the department’s approach to the public tracing app.
Prior to the source code’s release, he expressed his frustration with trying to warn the government about privacy issues discovered by the community, calling a recent app update a “new coat of paint”.
“The privacy things that we discovered are still there,” he said.
“There’s no way in hell people didn’t know about our research because, holy crap, we said it hard and wide and we kept following up.”
Among the privacy concerns around the app are issues such as temporary ID caches not being removed, and that the app could potentially allow for permanent tracking of an iPhone even after the app has been uninstalled.
Bizarrely, the source code release also revealed an unused part of the app that omitted Tasmania from a list of states.
It's the attention to detail that really stands out pic.twitter.com/GOZeZktpMo
— Anthony B, oh god we're all going to die (@swearyanthony) May 8, 2020
The DTA said it will be regularly updating COVIDSafe, and that the next release will happen this week.
“We plan to iteratively enhance COVIDSafe and we already have a plan for the next couple of releases,” the department said.
“These releases will focus on further strengthening the security of the application and improve its usability and accessibility.”
In a senate committee hearing last week, the DTA admitted that the iOS functionality “progressively deteriorates” when an iPhone is locked and it is running in the background.
COVIDSafe has been downloaded more than 5.5 million times.
Legislation to govern the app is being introduced to parliament today.