Source: NHSX
What you need to know
- Security experts have exposed laughable flaws in the NHS' contact tracing app.
- Source code analysis revealed seven holes.
- Staggeringly, the random ID code used to protect user privacy only changes once every 24 hours, and the beta for the app was published before encryption was finished.
A security report based on source code analysis of the NHS' contact tracing app has revealed several serious security flaws in the software.
As reported by Business Insider:
The UK government's contact-tracing app has got a number of serious security flaws according to cybersecurity experts who analyzed its source code.
A report by two cybersecurity experts, Dr. Chris Culnane and Vanessa Teague, was published on Tuesday. They identified seven security risks around the app, which is currently being trialled on the Isle of Wight and is supposed to be rolled out to the rest of the UK in the next week or two.
The report in question comes from State of It, and two cybersecurity experts based in Australia. To the app's credit, the report notes that the UK's effort has better mitigation than Singapore and Australia's app, however, they remain unconvinced that "the perceived benefits of centralized tracing outweigh its risks."
As summarized by Business Insider:
The vulnerabilities include one which could allow hackers to intercept notifications and either block them or send out bogus ones telling people they've come into contact with someone carrying COVID-19. The researchers also noted that unencrypted data stored on users' handsets could feasibly be accessed by law enforcement. Although the UK government has insisted the data would be used for nothing other than its COVID-19 response, a group of 177 cybersecurity experts have already called on it to introduce safeguards protecting the data from being repurposed for surveillance.
Not only that, but staggeringly, the rotating random ID code which is used to protect users' privacy only changes once a day. By comparison, Apple and Google's API does this every 10-20 minutes.
In a further, perhaps even more shocking revelation, the National Cyber Security Centre published a response to report, noting the following on encryption:
The beta version of the app doesn't encrypt the proximity contact event data on the phone, and we don't independently encrypt it before sending to the server. So when it's transferred to the back end, it's protected only by TLS. If Cloudflare went bad (or someone compromised them), they could get access to that proximity log data. The NHS team absolutely understand that data has value and needs to be protected properly, but encryption of the proximity logs just couldn't be done in time for the beta. This will be fixed and will in addition mitigate the physical access to logs above.
"Just couldn't be done in time for the beta." Rather than delay the release of the beta so that they could, you know, encrypt the data, NHSX just pushed the app out anyway. Great work everyone.
The report states in conclusion:
There are admirable parts of the implementation and once the already mentioned changes and updates are made, many of the concerns raised in this report will have been addressed. However, there remains some concern as to how privacy and utility are being balanced. The long-lived BroadcastValues, and detailed interaction records, remain a concern. Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.

iOS gaming recap: PlayStation makes big moves into iOS, Streets of Rage 4
Besides some new games, a huge game maker discussed its plans to move into the mobile space, although it's unclear when. Here's what else you missed this week.

GRAMMY-winning music producer lauds his Mac Studio but still wants Mac Pro
GRAMMY-winning music producer Mike Dean, who has worked with the likes of Kanye, Selena Gomez, and Madonna has taken to Instagram to wax lyrical about his M1 Ultra Mac Studio while still lamenting the fact that he can't buy an Apple silicon Mac Pro.

Review: You really ought to check out Catalyst Black for iOS
Catalyst Black is an online multiplayer game that has teams compete against each other to score points and take down opponents. It has both sci-fi and fantasy elements since players can turn into large beasts to do additional damage.

Yes, your iPhone 13 Pro can look super cute with the right case
The iPhone 13 Pro's colorways might be neutral, but it can still be an amazing and outfit-enhancing accessory with one of these cases.