Apple and Google’s COVID-19 app exposed private data to other apps

The Android version of the Google and Apple COVID-19 contact exposure notification app had a bug that allowed other apps preinstalled see this private data.

It even made it possible to know if a contact had been with someone who had tested positive for COVID-19. This security flaw was published today by the firm AppCensus.

Google has already launched a solution for the COVID-19 application

The guys at Mountain View were quick to respond and are already rolling out a fix for this bug. Immediacy and rushing to fix it is due to the promise given firmly

by Sundar Pichai, CEO of Google, and Tim Cook, CEO of Apple.

The two promised that the data collected by the notification app in the event of exposure to COVID-19 would never be shared out of device of the user.

Indeed AppCensus informed Google of the existence of this vulnerability to Google in February, but could not correct it in time. A solution that seems to have to do with removing a few lines of code of no major importance.

José Castañeda, spokesperson for Google, mentions that have been informed of a problem with Bluetooth credentials

that temporarily access specific system levels. It wouldn’t be the first time that similar issues have been found in this app as happened earlier this year.

On Android, the problem is that preinstalled applications can access these specific system levels, which gave them the opportunity to see this human tracking data in the app created by Google and Apple.

Since the signing, it has been communicated that there is no indication that these applications would have obtained one of these data

. Regarding the iPhone, AppCensus would not have found any similar vulnerability.