Sports Android bug: Around 400 apps were able to read Covid-19 contact tracking protocols

20:40  28 april  2021
20:40  28 april  2021 Source:   t3n.de

COVID-19 live updates: Hospitalizations rise as Quebec reports 1,559 cases, 7 deaths

  COVID-19 live updates: Hospitalizations rise as Quebec reports 1,559 cases, 7 deaths Updated throughout the day on Wednesday, April 14. Questions/comments: ariga@postmedia.com Top updates Two-thirds of Quebecers think province is lifting restrictions too quickly – poll Elderly show similar antibody response to 1st dose of AstraZeneca and Pfizer shots in UK study Opinion: We should want what’s best for our children’s teachers Opposition criticizes CAQ for welcoming back MNA Denis Tardif, caught partying without respecting health directives COVID-19 cases are rising again among eldercare residents Ontario-Quebec border controls needed, Montreal public health director says Avoid Montreal’s crowded emergency wards for minor health issues, authoritie

The App-Census experts found a vulnerability in the Android version of Google and Apple's contact tracking API. The made sensitive protocols for hundreds of apps readable.

Kontakt-Tracing-API unter Android hatte kritische Sicherheitslücke. © T3N Contact Tracing API under Android had critical vulnerability.

On behalf of the US Ministry of Internal Security, the forensics of App-Census examined the safely indicated contact tracking API , the Google and Apple mid-2020 together as the basis for the vast majority of the Corona warning apps used in the world had developed.

Small Program Error Tears Large Lick

In the Android version, you encountered a curious bug that had not occurred in the IOS version of the interface. Apparently due to an error-made LAPSU's fault in the program code, the COVID-19 API not only wrote system events in the associated system log, but also sensitive contact details.

COVID-19 Update: Alberta to lower eligibility age for AstraZeneca | Many students shift online today | Cancer patients call for second dose

  COVID-19 Update: Alberta to lower eligibility age for AstraZeneca | Many students shift online today | Cancer patients call for second dose With news on COVID-19 happening rapidly, we’ve created this page to bring you our latest stories and information on the outbreak in and around Calgary. What’s happening now Thousands of students in Calgary and in northern Alberta are shifting to online learning today because of rising COVID-19 infection rates. Following Ontario’s lead, Alberta will also expand use of the AstraZeneca vaccine to people aged 40 and over. Ontario will expand use of the AstraZeneca vaccine to people 40 and older, starting Tuesday. Calgary daycares and preschools are seeing more COVID-19 outbreaks. Alberta reported 1,516 new cases of COVID-19 on Sunday, as well as three additional deaths.

This contains these contact data in principle all over 400 apps, which are also equipped with access to system protocols. This describes the forensics of App-Census in a detailed blog post in all technical details.

Already in February, they want to attention Google to the problem that they describe as extremely easy to fix. Apparently, Google would have to change in the API code only one line that - probably accidentally - contacted contact information written to the system log. According to boss forensic Dr. Joel Rearardon by App-Census would have been a clack for this change for Google. She had not tangled any apps, nor anything changed at the functional principle of the API.

Google should have ignored the security gap

the more surprised one was with App-Census, as it became clear that Google did not want to make any institutions to fix the mistake. Again and again, App-Census-CTO Serge Edelman wants to contact Google and pointed out the bug. There he always bolted.

COVID protocol-related absences: 04/25

  COVID protocol-related absences: 04/25 Each day, the NHL will publicly release the list of players that are unavailable to their respective teams due to being in COVID-19 Protocol. Here is today’s list: Calgary – Josh Leivo Colorado – Joonas Donskoi, Mikko Rantanen New Jersey – P.K.Calgary – Josh Leivo

Only when the colleagues adopted by The Markup of the problem and Google officially asked for a statement, momentum should have come to the matter. That was but only last week.

Ruckzuck should then have then eliminated the problem that you should have ignored for almost two months. Google lost to The Markup, one had a corresponding update before weeks ago and given in the roll-out. In the next few days all affected smartphones should be updated.

A danger has insisted at any time because the system logs can not exit the respective device. That stimulates chief forensic Rearardon dimensionless. Something can not just say something, he scolds. After all, they would not know which app maybe process the system logs collections and in some way.

Why could Google did not react?

Two plausible reasons are conceivable why Google could actually have not taken the problem so seriously. On the one hand, the problem concerns only preinstalled apps. Only these from well-known manufacturers such as Samsung or Motorola on their smartphones factory pre-installed apps get access to the system logs. The risk situation may have assessed Google under this aspect.

On the other hand, an app that theoretically can read information that can not actually do. This is likely to be almost excluded in the typically preinstalled apps, especially since the gap according to the current state of no one was otherwise known. Here, Google could not have suffered the eligible app developers - probably simply the necessary criminal energy. Even under this aspect, the risk assessment may have resulted in a weak risk.

Nevertheless, a manufacturer with a communicated gap that affects potentially sensitive health data does not work around Lax, as Google should have done in this case.

NHL's COVID protocol-related absences for May 6, 2021 .
Players in the protocol are: Colorado's Devan Dubnyk and Washington's Evgeny Kuznetsov.Calgary – TBA (previously Josh Leivo)

usr: 1
This is interesting!