API Security Done Right: COVID-19 Exposure Notification System Minimizes Data Exposure

April 6, 2021 | by Jason Kent

Security Professionals have a reputation for being paranoid and pointing out security or privacy flaws in just about everything. When the Privacy-Preserving Contact Tracing Project was first launched, many a security pro said, with great skepticism, “you want me to what now?” The system allowed for a way to trace anyone you might have been near when they were asymptomatic or after learning they had a positive test and pushed that signal into the system.

After downloading the application for your region, your phone then turns on Bluetooth LE. Your phone periodically generates a random code and when your phone (and you) comes near someone else’s enabled phone, both phones enter the random codes into their manifest and send it to the notification system. In the event you or the other person gets a positive COVID test, that information can be sent to the system to notify the other they have been exposed.

The purpose of this is to make it easy to figure out where someone might have been exposed and where they may be exposing others to COVID-19. The data collection can also be used to track where exposures are happening. For instance, if exposure patterns point to an increase on public transit, adjustments can be made to limit the impact before it becomes a massive problem.

The app is truly focused on privacy, as the initial name (Privacy-Preserving Contact Tracing Project) implies but the name was changed to Exposure Notification System – perhaps due to the focus on privacy, which left many with an uneasy feeling (too much sharing). In my analysis of 10 different contact tracing apps, I found that the privacy aspect of this system is very well thought out, utilizing a tokenization scheme that would make it nearly impossible to figure out who/where an individual is.

My Analysis: API Security Done Properly

I downloaded 10 of these applications and used an intercept proxy to see what kind of noise they make. It turns out these are the quiet neighbors every apartment dweller wishes they had. The system is set up to simply create manifests and only when someone submits a positive test, does it calculate the exposures, and that all happens on the back end. This means from the phone’s perspective the only data transmitted or received occurs with a positive test submission. In 10 out of 10 cases the apps are very interested in the privacy of the phone and its owner.

As is standard in our industry there are always mistakes. Every app had links to more information that could be grabbed via a link to a website. 9 out of 10 times it just linked, the link opened, and the site exposed no further data. In one example, however, the API Key needed to transmit data was in the get request to the state’s Department of Health. This key is important because it would allow for someone to forge a fake covid report and post a fake manifest. Given the public nature of the application and ease of figuring out how to do this, it is a concern.

One error aside my only problem with this whole system is reliance on Bluetooth and me having to have my Bluetooth on all the time. The design for the tokenization and considerations for privacy are all top-notch and as my research shows, the implementation is well done in most cases. This leap forward in phone manufacturers helping get real data on a real problem is something I hope continues into the future.

Want the visibility to find and mitigate security risks before they are published or discovered in your own APIs? Watch a quick overview of Cequence API Sentinel today.

Jason Kent


Jason Kent

Hacker in Residence

Additional Resources