The NHS has kept its promise to share the source code for the UK contact tracing app, placing both the code and documentation onto Github. This will allow security researchers to examine the code to determine exactly how it works, check for any flaws and try to solve a mystery.
Developers will be keen to understand how the app apparently works in the background in a way that shouldn’t be possible …
It shouldn’t be possible for the iOS app to send Bluetooth codes while it is running in the background, only receive them. This would mean that two iPhone users could be sat next to each other, using other apps, and neither phone would register the contact.
However, the NHS claimed that it had found a way around this limitation, and early testing suggests that this is largely true, reports the BBC. It was able to run successfully in the background for at least 90 minutes, sometimes longer.
NHSX had said it had come up with its own solution. And preliminary tests by a cyber-security company suggest it has succeeded.
Pen Test Partners installed the app on a handful of “jailbroken” iPhones – altered to allow them to monitor activity normally hidden from users.
“When first placed in proximity to each other, the phones would start to ‘beacon’ over Bluetooth at either eight- or 16-second intervals,” co-founder Ken Munro said. “Others had expressed concern about the app not being effective when ‘backgrounded’.
“Our tests showed that this did not appear to affect the beaconing, whether the phones had encountered each other for the first time or subsequently been physically moved out and then back into range.”
A second company, Reincubate, found the app would sometimes “go quiet” when run undisturbed in the background for more than 90 minutes but suggested this should not be too big an issue in real-world conditions.
“A number of reasonable factors can trigger this window being extended, including other use of Bluetooth, the presence of Android devices and the effectiveness of notifications [asking the user to reopen the app],” it blogged.
“In our tests, the iOS devices we’ve run the app on have continued to keep the background service running overnight.”
Initial take-up of the coronavirus app in the test area has also been promising. The NHS reported some 40,000 installs out of a population of 141,000. That’s a 28% take-up – well below the minimum 60% epidemiologists say is needed for a meaningful contribution, but still extremely impressive for day one. The population of the Isle of Wight is a significantly older demographic than that of the UK as a whole, which challenges stereotypes of older people and technology, but may also reflect greater compliance with government requests among the elderly.
Many are still calling on the British government to adopt the Apple/Google API when the app is rolled out to the whole country, and there are signs that the government may now be seriously considering this.
It was reported that the NHS has commissioned a feasibility study into making the switch, and the Guardian reports that the government appears to be being swayed by calls from technical experts, human rights groups and politicians alike to adopt the more private API.
After repeated warnings that the UK will be an outlier if it insists on using its own centralised app rather than relying on Google and Apple’s technology, rights groups and MPs said on Thursday that the lack of privacy and data protections could mean that the app would be illegal […]
One source told the Guardian that Downing Street was now sceptical of decisions made in the health service to create a separate app […]
Matthew Gould, the head of NHSX, told a parliamentary committee that the decision to build the app without the involvement of the Californian companies was not fixed in stone. “If it becomes clear that a different approach is a better one and achieves the things that we need to achieve more effectively, we will change. We are not particularly wedded to a single approach. It is a very pragmatic decision about which approach is likely to get the results that we need.
“If we want to take a different approach, we might have to do some heavy-duty engineering work to make that happen. But I want to provide some reassurance that just because we have started down one route does not mean that we are locked into it.”
I’m guessing a lot of people will be examining the source code with interest!
FTC: We use income earning auto affiliate links. More.