Victorian health officials began using data from the COVIDSafe app on Monday night after a patient with the app installed on their phone tested positive to COVID-19.

The patient then consented to their data being downloaded and used track down other people the patient had been in contact with.

A spokesperson from the Department of Health and Human Services said health officers were trained to use the data only for contact tracing.

“Victoria has legislated privacy obligations when handling citizens’ private data or health data and these obligations will be adhered to,” the spokesperson said in a statement.

“With only a small number of cases in Victoria, there have been few opportunities to use the App so far. We hope this continues.”

The latest coronavirus figures show that Victoria has the second highest number of confirmed coronavirus cases in Australia with 1,573 reported as of yesterday.

Only Victoria and NSW have reported new cases in the past 24 hours.

Does the app work?

Victoria’s announcement makes it the first state to publicly acknowledge using COVIDSafe app data to help with contact tracing.

The number of new cases in Australia is dwindling, but COVIDSafe has regularly been touted as a method to ensure that the virus doesn’t spread as restrictions ease.

If health officials in Victoria can match the COVIDSafe data of their infected citizen to other app users, it could be the first positive sign that the app is functioning as intended.

However, A Guardian report yesterday claimed that authorities in NSW – the country’s most populous state which has the largest number of confirmed cases – had tested the COVIDSafe data but was unable to integrate it into pre-existing systems.

NSW Chief Health Officer, Dr Kerry Chant, confirmed this morning that NSW Health was having “teething problems" with the app.

“It’s not that the app’s not working, just to be clear,” Dr Chant said at a press conference.

“We are evaluating the app to see how it can augment our existing [manual] contact tracing.

“For the Android phones we have managed to get some data off – there have just been some issues with handshake senstivity and I believe that’s been remedied.”

“So, we’re looking forward to fully embracing the [COVIDSafe] app into our contact tracing.”

Vulnerabilities remain

With the app available for download, the source code released, privacy protections enshrined in law, and now examples of it being used by state health officials – it appears as though COVIDSafe is working.

But a community of developers continue to find potential flaws with the app's architecture.

Recently, Jim Mussared and Alwen Tiu logged a critical vulnerability that could affect COVIDSafe and other international apps built using similar code.

CVE-2020-12856 relates to how Bluetooth is used in the app and "allows for long term tracking of users of the affected apps, and possibly enables other bluetooth-based attack vectors".

Similar to previous issues that have been patched in recent COVIDSafe updates, CVE-2020-12856 allows a single device that has the app installed to be traced through identifiers that are supposed to change.

Unlike those previous issues, however, this problem persists even after the app is uninstalled, therefore allowing a device to be tracked long-term.

Specific information about the vulnerability is currently embargoed to give app developers time to implement a fix.