Validating the security of contact tracing apps

To ensure that contact tracing apps protect users’ security, privacy and civil liberties, the Department of Homeland Security’s Science and Technology Directorate has tapped a startup to develop app testing and validation services.

AppCensus, based in El Cerrito, Calif., already has a platform for at-scale analysis of mobile apps’ runtime behaviors and their security and privacy risks. The $198,600 Phase 1 award will allow the company to adapt its system to test Android and iOS contract tracing apps and publicly post the results, including descriptions and sensitivity of data the apps collect and the data-use policies of the apps’ publishers and third parties.

The phase 1 award was made under an S&T’s Silicon Valley Innovation Program (SVIP) solicitation, which called for “a robust application testing ecosystem” that would evaluate contact tracing applications to ensure they do not leak, share or misuse data or compromise  users’ privacy, security or civil liberties.

“Once adapted and enhanced, the AppCensus platform will provide reports based on consistent tests using openly developed criteria of publicly available digital contract tracing applications to make it easy for people to understand potential privacy and security risks,” said SVIP Technical Director Anil John.

Several states have rolled out smartphone-based solutions to automate the manual contact tracing process. The apps use the devices’ GPS and Bluetooth functions to collect and share data about where users have been and with whom they’ve come in contact.

The COVID Alert app launched by Virginia in August 2020 uses the exposure notification protocol developed by Google and Apple that does not rely on personal information or location data. So do complementary apps launched Oct. 1 by New York and New Jersey that supplement public health officials’ efforts to trace and contact individuals who may have been exposed to the COVID-19 virus. Other states, such as Utah, North and South Dakota, Nevada, Wisconsin, Oregon, Connecticut, Michigan, Florida, have also developed contact tracing apps.

AppCensus is the first of six start-ups to receive a Phase 1 award from SVIP’s Emerging Needs: COVID-19 Response & Future Mitigation program, which seeks near-term solutions to DHS-specific challenges related to pandemic response and preparations for future mitigation. Other use cases include:

• Video analytics for Transportation Security Administration checkpoints.
• Solutions for automatic and rapid surface disinfecting.
• Tools to help monitor, collect, integrate and deconflict quantitative open-source information.
• Enhanced point-of-entry screening for DHS facilities that protect individual privacy.

This article first appeared on GCN, a Defense Systems partner site.