India, Germany, Italy, France, the UK, and others open-source their contact tracing apps
As countries encourage citizens to install contact tracing apps, they have been getting significant pushback from privacy experts who (rightly) question what information is collected and how it is being used. While privacy policies, guidelines, and whitepapers can inform the discussion, they are not sufficient to verify what data each app collects and how it works. In an effort towards transparency, a number of countries have released the source code for their apps. This allows experts to inspect the source code to look for security vulnerabilities as well as to understand exactly what data is collected and how it is used and transmitted.
One of the most widely downloaded contact tracing apps, Aarogya Setu open-sourced their Android app last week on GitHub. This follows Singapore, which open-sourced its app, TraceTogether, early on. The UK has done similarly as its NHS COVID-19 app goes through trials. Germany (Corona-Warn-App), France (StopCovid), Italy (Immuni), Switzerland (SwissCovid), Israel (Hamagen) are other notable efforts. Overall, 14 (over 40%!) of the 32 contact tracing applications we’ve documented as of early June have (at least partially) been open-sourced.
View full list here [You can filter by the source code field]
It should be noted, however, that not all open-sourcing efforts are equal. India, for example, has only open-sourced its Android app (source code iOS app is said to be coming later). Others have open-sourced their mobile apps, but not the server code that collects and stores data. This allows for only a partial view of the system and obfuscates critical pieces of information such as how the data is stored and when it is deleted. It also opens up the possibility that major security vulnerabilities could be lurking the server code. Germany seems to be doing an exceptional job in this regard, with the source for both the corona-warn-app apps as well as the servers available on GitHub. Similarly, Italy has published the source code for both the Immuni app and server.
Even if the source code for apps is available, it is often difficult or impossible to verify that the public source code is exactly the same source code that is used to build the app made available in app stores. There are ways to do this, and in an effort to be completely transparent, all countries should ensure that it is possible to verify that the publicly available source code and the binaries in the app stores match. Telegram (the open-source secure messaging app) did this some months ago to allow researchers and others to ensure that the versions in the app store matched the source code released publicly - a process referred to as ‘reproducible builds’. Perhaps Apple and Google could help out with this to make the process easier and more transparent.
Regardless of these shortcomings, the fact that so many contact tracing apps have been open-sourced is extremely encouraging. We’ll be digging into the source code in the coming weeks and should have more to report then. Hopefully, this effort at transparency will encourage more users to download and use these apps so that they have a chance at working to help stop the spread of COVID-19. Perhaps, it may even encourage countries to collaboratively develop contact tracing apps (unlikely, but we can hope!)