Critical flaw discovered in Australia's iOS COVIDSafe app

Covid Safe Australia (Image credit: health.gov.au)

What you need to know

There's a critical flaw in Australia's COVIDsafe app on iOS.
When you lock the app on iOS, it can no longer retrieve the random number used to identify you.
That means your device can't be logged by others around you.

A critical flaw has been discovered in Australia's COVIDSafe app which stops a locked device from retrieving a new random identification number.

COVIDSafe iOS has had a pretty major bug since launch, reducing logged encounters:https://t.co/wHlBenQHCm

A locked device with expired ID cannot retrieve a new one. Without an ID, It will record other people around it, but will not be recorded by others.COVIDSafe iOS has had a pretty major bug since launch, reducing logged encounters:https://t.co/wHlBenQHCm

A locked device with expired ID cannot retrieve a new one. Without an ID, It will record other people around it, but will not be recorded by others.— Richard Nelson (@wabzqem) June 14, 2020 June 14, 2020

As noted by Twitter's Richard Nelson, simply scanning the debug log of the app has revealed the key flaw. Nelson expands on this in a document:

New TempIDs cannot be retrieved when a device is locked. This results in a locked device which has an expired TempID with behaviour:As peripheral, not providing its TempID to devices which ask for it and, As central, not being able to write to a peripheral its TempIDIt will record a device acting as central which writes to it. A device in this state will record other people around it, but will not be recorded by others. If all relevant devices are in this state, no encounters are logged.

The example he uses is of someone locking their iPhone and putting it in a bag and going out for the day. Whilst the phone remains locked and unable to fetch a new random identifier, no other devices they come into contact with will lodge that device as a contact. If two devices in that state come into contact, no contact will be lodged at all. In real term impact, if that person was to come into contact with someone carrying COVID-19, they would not receive a notification about the encounter after the fact. Commenting on Twitter Nelson stated:

How can this go so poorly? This is another bug that may have lead to comments that the quality "deteriorates" as device goes to locked, but again, it's not a result of iOS Bluetooth, it's simply a bug in COVIDSafe.Code was "reviewed by government security agencies, academics and industry specialists"Out of all of these, did nobody say "Hey, it stores a secret in Keychain. Is key material available/unavailable at appropriate times?" This is really basic stuff when storing encrypted data.

The Australian government has previously admitted its iOS app was not working as expected due to restrictions placed on its use of Bluetooth, due to the fact it doesn't use Apple and Google's API.

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9