This is a reproduction of the summary of my full report, which is available here.. The research done in this report was completed in August 2020, and a lot has probably changed in TraceTogether since then; an evaluation of TraceTogether in its current iteration can use the above report as a starting point. Also note that none of this is related to the TraceTogether token, which I have not explored yet.
Introduction
TraceTogether is a COVID-19 contact tracing mobile application developed by Singapore’s Government Technology Agency (GovTech). Along with the closed-source TraceTogether app, GovTech has also released an open-source version known as OpenTrace, and a white paper describing the protocol used by TraceTogether, which they call BlueTrace.
In this report, we conduct a detailed static analysis of TraceTogether on Android. Our research seeks to answer 3 main questions:
- Is the closed-source TraceTogether app identical or largely similar to the open source OpenTrace app?
- How does using TraceTogether impact a person’s privacy?
- Does TraceTogether contain any security vulnerabilities?
To answer these questions, we reverse engineered the TraceTogether app to uncover its architecture and inner workings. We focused on the backend components of TraceTogether, and ignored most of the UI-related code.
This report assumes the reader is already familiar with the general concepts surrounding TraceTogether, and has read the BlueTrace protocol white paper.
Internally, TraceTogether goes by the name BlueTrace, as can be seen by the Android application ID (sg.gov.tech.bluetrace). We will refer to the TraceTogether app as BlueTrace henceforth. Note that the BlueTrace white paper refers to “BlueTrace” as a protocol; in this report we will explicitly refer to the protocol as the “BlueTrace protocol”.
We conducted our analysis on BlueTrace version 2.0.15, downloaded from the Google Play Store. This is identical to the version that a regular user would install and use on their phone.
A newer version, 2.1.4, was released after we had completed most of our analysis. We performed a differential analysis of the latest version and present our findings in Section 8. Analysis of BlueTrace 2.1.4.
We present a summary of our key findings here for ease of reference.
BlueTrace and OpenTrace
BlueTrace and OpenTrace are largely similar and appear to be descended from the same code base. BlueTrace adds a few new features: pausing, SwiftMED detection, a metrics component, and some new remote command features that we describe shortly.
Privacy
BlueTrace generally respects privacy, and keeps to its word on what data it collects. It does not track a user’s physical location via Android’s location system. Personal identification information that is stored locally is encrypted, and is never transmitted except during the initial registration phase.
TempIDs
BlueTrace uses TempIDs as a means of preserving privacy while exchanging contact tracing records. However, we found that TempIDs still pose a privacy risk: because they are publicly broadcasted, it is important that a particular TempID is never associated with some other personal information. For example, if a string containing a TempID is transmitted in clear along with the user’s IP address, then a link would be established between that TempID and the IP address.
We found that BlueTrace did not expose TempIDs to external parties. Only the BlueTrace app and the central server know what TempIDs were issued to a user. However, BlueTrace maintains a local store of TempIDs. This store is in clear, and an attacker with privileged access to BlueTrace would be able to read it. Such an attacker would thus be able to associate the user to the TempIDs. However, since this attack would require some form of compromise of the BlueTrace client, its impact is low. Please see Section 5.2.6. TempID Exposure Attack for more information.
Metrics
BlueTrace contains a component that collects statistics and periodically sends them to a central server. This component was not present in OpenTrace. It collects the following data:
- some information about system state
- the number of contact tracing records collected over the period day
- the timestamp of the latest record collected
An analytics component also exists, which is identical to the one in OpenTrace; it mostly sends error messages to a central server, with no sensitive information.
Based on our analysis, the metrics and analytics components do not pose much of a privacy risk. It is possible for the metrics information to be used to infer some information about a user’s location: for example, a relatively larger collection count would indicate more movement, or being in an area with more people.
Pause Feature
BlueTrace has a pause feature that allows a user to manually pause contact tracing. We verified that this feature works as expected; when turned on, no contact tracing records are exchanged. Nevertheless, we recommend turning Bluetooth off as well should a user be concerned about their privacy.
Remote Command Activation
BlueTrace’s FCMService component allows the central server to remotely activate certain BlueTrace features. This component is also present in OpenTrace. The main features that can be activated remotely are scanning and advertising, which already run periodically. FCMService can also trigger BlueTrace to upload metrics to the server. We also verified that FCMService does not allow the central server to remotely unpause a paused BlueTrace app.
Security
BlueTrace appears to be written securely. We traced the flow of data from untrusted sources (remote BLE devices), and did not find any vulnerable uses of the data.
BlueTrace uses the Gson library to JSON-deserialize untrusted data. This is done in a secure fashion, but any vulnerabilities in Gson would be of concern. BlueTrace also eventually writes the untrusted data into an SQLite database, but fortunately this is done using parameterized queries, and so SQL injection attacks are not possible.
Some minor bugs were found as well, but they were assessed to have no security impact.
BlueTrace version 2.1.4
We performed a quick analysis of the latest version of BlueTrace, 2.1.4. We did not find any serious issues with this version, and our conclusions remain the same.
BlueTrace 2.1.4 does include a new feature that allows it to manage SafeEntry check-ins. Part of this feature logs down check-ins in the database and stores it for 25 days. This has a minor privacy impact as an attacker with privileged access to BlueTrace would be able to see the check-ins. However, non-BlueTrace users are likely to have equivalent information stored in the history of the web browser they use to access SafeEntry.
Conclusion
BlueTrace is generally respectful of a user’s privacy, with only one minor privacy issue relating to TempID storage. BlueTrace also does not appear to have any significant security flaws, and only a few minor bugs.
