The Digital Transformation Agency has updated its COVIDSafe contact tracing app to allow Android users to remove their user-assigned device names from being exposed over Bluetooth.
The update – its third since the source code for the app was released almost three weeks ago – was pushed out on Tuesday to “further enhance the protection and anonymity of users”.
It introduces “new measures to the Bluetooth contact tracing protocol” to allow users to remove Android device names. This is likely to occur when a user downloads and registers for the app.
An “extra layer of encryption for the digital handshake” has also been added.
The issue was raised by software developer Jim Mussared and cryptographic researcher Eleanor McMurty in their comprehensive summary of the app’s privacy issues.
Prior to the update, the pair said Android phone model names and user-assigned device names were transmitted over Bluetooth, allowing for device re-identification and tracking.
While the update goes some way to improving privacy for users, device model names will remain visible to anyone in Bluetooth range.
Code sighted by iTnews shows new advice that alerts users that their user-assigned device name will be visible over Bluetooth and prompts them to “consider making the device name anonymous”.
The update also introduces a new feature that “improves accessibility for people who use text to speech technology” to navigate and use the app.
The DTA said the “improvements include better descriptions of fields within the app, such as the age range selection when registering, and better recognition of back arrows”.
“As we continue to iteratively enhance the COVIDSafe app, protecting the privacy of Australian’s is at the forefront of our efforts,” the DTA said in a statement.
“We would like to thank members of the community, including software developers and researchers, who have worked with us in addressing these issues.”
Initial thoughts regarding the recent code pushed to the COVIDSafe Android repository:
It seems to use AEAD via AES-128-CBC and SHA-256 HMACs to encrypt and authenticate Bluetooth payloads.
If this is correct, it’s a really strong step in the right direction; @DTA did good.
— Eleanor ✨ (@noneuclideangrl) May 27, 2020
Other key improvements to COVIDSafe to date include improvements to Bluetooth performance on iOS devices, including when the device is locked.
This was made possible with new code sourced from the the UK’s NHSX contact tracing app, which has been developed by the Tempemail Health Service’s healthtech unit.
However, the DTA is yet to detail whether these improvements have completely fixed the Bluetooth issues that were confirmed by the agency to impact performance on iOS devices.
The DTA will also look to improve COVIDSafe bluetooth performance further following the release of the Google and Apple exposure notification application programming interface.
According to the ABC, the DTA and the Department of Health are currently testing the API to understand how it can be applied to Australia.
The DTA said it would continue to update the COVIDSafe app based on internal reviews and feedback from the community, with the next update slated ot be released sometime in June.
“We are currently working on the next COVIDSafe update, which will be released in June,” it said.
More than six million Australians have now downloaded and registered for the COVIDSafe app.
Updated 28 May to clarify that device models are still visible over Bluetooth.