Analysis of the "Stopp Corona" App: Improvements through expert report

cc0

Experts from epicenter.works, noyb.eu and SBA Research evaluated the Austrian Red Cross' "Stopp Corona" app for data security and privacy. No critical security gaps were found, but some potential for improvement in data protection implementation was identified. 

Many recommended improvements have already been implemented by the Austrian Red Cross. Within the existing system, some of these have already been implemented, others require long-term changes - including by Apple and Google.

The Austrian Red Cross and Accenture GmbH have provided the source code of the Stopp Corona app (version 1.1) to epicenter.works, noyb.eu and SBA for an analysis in order to check the software with regard to IT security, data protection and legal aspects. The analysis was free of charge.

25 Recommendations

Experts from epicenter.works, noyb.eu, and SBA Research reviewed the application in terms of security and privacy and summarised their findings and 25 recommendations in a report. The results were presented in a press conference on April 22 2020; the full report can be found here.

Accenture (who developed the app for the Austrian Red Cross) has already agreed to implement 16 of the recommendations with a "hotfix" on April 22, three of the recommendations with the next version of the app and four recommendations in about four weeks.

Decentralised concept

Although the app is based on the decentralised storage of data on the user's own mobile phone, communication between the phones still takes place largely via central servers, as the relevant Bluetooth protocol cannot transfer enough data between the mobile phones.

Thomas Lohninger, managing director of epicenter.works, said: "In the meantime, there are solutions with concepts like DP-3T or Co-Epi, which also enable the majority of communication directly from mobile phone to mobile phone and are therefore even more data protection friendly. We recommend the Red Cross to switch to this concept as soon as it is technically possible". This requires in particular the announced technical changeover by Apple and Google to ensure that the app also works smoothly on iPhones.

In principle, the experts certify a good starting level of the App with regard to security aspects and data protection issues, but recommend a number of improvements. Christian Kudera, IT security expert SBA Research: "A statistics function was built into the app, which transmitted the exchange of contacts via Bluetooth and the reception of infection messages to the Red Cross. The statistics function was removed immediately due to our urgent recommendation".

Another problem is the offline tracking of devices. Christian Kudera, IT security expert SBA Research: "It is possible for attackers to recognise smartphones at specific locations over long periods of time and, in extreme cases, to create motion profiles. We have been promised that this problem will be fixed with a new version at the end of next week". Users can deactivate the automatic handshake as an interim solution.

GDPR

The concept of the app is also permissible under European data protection law. Max Schrems, data protection lawyer, noyb.eu: "The Red Cross concept is in any case in conformity with data protection law. However, given the extremely fast implementation, there is still room for improvement in details. We have recommended even more precise information and provided more thoughts on how to ensure that the Corona warnings are correct. Much of this was implemented immediately."

Contact Tracing Apps

Contact tracing apps can ideally save lives. The Austrian "Stopp Corona" app is, as far as is known, the pioneer in Europe to date with 400,000 installations. At the same time, Max Schrems added: "In Europe, we are certainly pioneers for now, but the state of the art is currently changing almost daily and the Red Cross must certainly continue to keep up with it.

The press conference was recorded and is available on the organisations' YouTube channels (in German). The audio recording can be downloaded here as an mp3 (German).

Da du hier bist

… haben wir eine Bitte an dich. Für Artikel wie diesen analysieren wir Gesetzestexte, bewerten Regierungsdokumente oder lesen Allgemeine Geschäftsbedingungen (wirklich!). Wir sorgen dafür, dass möglichst viele Menschen sich mit komplizierten juristischen und technischen Inhalten befassen und auch verstehen, dass sie große Auswirkungen auf unser Leben haben. Diese Arbeit machen wir aus der festen Überzeugung, dass wir gemeinsam stärker sind als alle Lobbyisten, Machthabende und Konzerne. Dafür brauchen wir deine Unterstützung. Hilf uns, eine starke Stimme für die Zivilgesellschaft zu sein!

Jetzt Fördermitglied werden