COVIDSafe app encounter logging bug uncovered on iOS

The government’s COVIDSafe contact tracing app has been found to contain a flaw that stops iPhones from retrieving temporary IDs when a device is locked, meaning Bluetooth encounters could be going unrecorded.

The major bug, which is limited to iOS devices and has affected the functionality of the app since it was first launched in late April, was disclosed by software developer Richard Nelson on Monday.

It goes to the very heart of COVIDSafe’s operation on iOS, with devices unable to fetch new temporary IDs from the national COVIDSafe data store every two hours when a device is locked.

“New TempIDs cannot be retrieved when a device is locked,” Nelson penned in an analysis of the JSON Web Token (JWT) and iOS Keychain access provided to the Digital Transformation Agency.

He said this resulted in a locked device “providing its TempID to devices which ask for it”, but “not being able to write to a peripheral its TempID” - or put more simply, a device recording others around it, but not being recorded by others.

“[A locked device] will record a device acting as central which writes to it. A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged,” he said.

Nelson gave the example of someone packing their bag for the day and assuming that the locked device would log encounters, even if Bluetooth encounter logging remains problematic, particularly between two iOS devices.

“One could imagine Alice packing her bag, putting her iPhone in and going out for the day to a football game. With her device in this state, nobody else will record her presence, and if anyone around her tested positive she would not be contacted,” he said.

The cause of the bug relates to COVIDSafe’s use of KeychainSwift to store the JSON Web Token (JWT) used to fetch new temporary IDs from the server.

Nelson said the bug was found by observing debug logs and investigating errors.

“When setting a new TempID locally, COVIDSafe uses the default value for the KeychainSwiftAccessOptions parameter, which is AccessibleWhenUnlocked. This means the keychain item cannot be accessed when the device is locked,” he said.

“When a new TempID is needed, GetTempIdAPI tries to extract the JWT from the keychain in order to fetch a new TempID from the API. This fails when the device is locked, and so a TempID is unavailable.”

He said this could be fixed fairly simply by using “accessibleAfterFirstUnlock for KeychainSwiftAccessOptions when storing the JWT with KeychainSwift”.

Nelson told iTnews the fact the bug had not been found and fixed in the two months since the app went live “just seems so poor”, particularly with people now moving about in greater numbers.

“I don’t understand what kind of development process wouldn’t find things like this. Ultimately, I want this to work well. I’d love to see [the app] benefit our recovery,” he said.

Code was "reviewed by government security agencies, academics and industry specialists”

Out of all of these, did nobody say "Hey, it stores a secret in Keychain. Is key material available/unavailable at appropriate times?” This is really basic stuff when storing encrypted data.

— Richard Nelson (@wabzqem) June 14, 2020

The flaw compounds other iOS Bluetooth issues, which are particularly apparent when the app is operating in the background.

There have been some improvements in the Bluetooth performance to date, though logging is still rated “moderate” for two locked iOS devices.

The two issues, together with the low transmission rate among the community, go a long way to explaining the app’s limited effectiveness as a tool for identifying additional close contacts in the contact tracing process. 

According to the ABC, no state or territory health authorities have uncovered any otherwise unidentified contacts using COVIDSafe to date, despite app registrations now sitting at more than 6.2 million.

In response to iTnews questions asking whether the agency was aware of the bug, the DTA said it "continues to welcome feedback on COVIDSafe from the developer community, with previous feedback helping us to improve the app".

"The DTA will continue to release updates to the COVIDSafe app to deliver a range of performance, security and accessibility improvements as required," a spokesperson said.

"The Australian community can have confidence the app is working securely and effectively, despite the lack of community transmission of COVID-19."