NHS app to act as Covid passport for international travel, flaws emerge in Google track and trace API

Transport secretary reveals plans to open up international travel while Google says it will patch the contact tracing flaw

Transport Secretary Grant Schapps has revealed that the government plans to use the NHS app as a way for people to demonstrate that they have been vaccinated or have been tested before international travel.

"It will be the NHS app that is used for people when they book appointments with the NHS and so on, to be able to show you've had a vaccine or that you've had testing," Schapps told Sky News. "I'm working internationally with partners across the world to make sure that system can be internationally recognised."

The app in question is one used to book GP appointments, rather than the Covid-19 contact tracing app (about which more below). The mooted plans will only apply to people living in England, as health services in Wales, Scotland and Northern Ireland are devolved in such matters. Practical implications are not yet clear. Commenters on Twitter have noted the app will not work on older phones and also that people may have to apply for access to their medical records beforehand.

Meanwhile, a privacy flaw has emerged in the Android version of the Google-Apple Exposure Notification (GAEN) framework that could allow pre-installed apps on the device to potentially see sensitive data of users.

That's according to researchers from privacy analysis firm AppCensus, who claim that Android version of the Covid-19 exposure notification app writes vital information to system log files, which could be read by hundreds of third-party apps, exposing personal information of users to other companies.

Many countries, including the UK, Canada and New Zealand, have been using GAEN framework in their Covid-19 contact tracing apps. In the UK, the NHS Covid contact tracing app alerts users if they spend 15 minutes or more within two metres of another user who subsequently tests positive for Covid-19.

Users can scan QR codes to check in at venues like stores, restaurants and bars. In case a venue is later identified as a potential coronavirus hotspot, each device is sent a notification, alerting them about the potential exposure.

When Google and Apple released their Covid-19 contact tracing framework last year in the wake of the Covid-19 pandemic, the companies promised that data generated through the apps, including users' private health information, would be anonymised and never shared with anyone other than public health agencies.

"Our goal is to empower [public health agencies] with another tool to help combat the virus while protecting user privacy," Google CEO Sundar Pichai said in May last year, when the GAEN framework was released in public domain.

However, researchers at AppCensus believe that Google's versions of GAEN framework may have left the door unlocked to a privacy breach.

Joel Reardon, co-founder of AppCensus, told The Markup that they started testing the GAEN framework as part of a contract with the US Department of Homeland Security and found a privacy bug in GAEN's Android version.

According to Reardon, Google was notified about the vulnerability in February, but the company have failed to address the bug so far.

No similar issues were found in the iPhone version of the framework, according to Reardon.

Reardon said that fixing the issue in Android would be as simple as removing a few non-essential lines that write sensitive data to the system log.

However, Google told AppCensus that the issue was not "severe enough" to qualify for a bounty and that their team would "decide whether they want to make a change or not".

Reardon claims that they also reached out to Android's director of privacy engineering Giles Hogben about the issue, but Hogben said that the system logs could only be accessed by some specific apps.

"[System logs] have not been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11 (can check exactly when but I think back as far as 4)," Hogben said in an email to Reardon, according to The Markup.

Reardon said that pre-installed apps, including Samsung Browser and Motorola's MotoCare, can collect information "that would be devastating to the privacy of people who use contact tracing."

When Google was contacted by The Markup to comment on the issue, the company's spokesperson José Castañeda said that they were "notified of an issue where the Bluetooth identifiers were temporarily accessible to specific system level applications for debugging purposes, and we immediately started rolling out a fix to address this".

Castañeda added that the "roll out of this update to Android devices began several weeks ago and will be complete in the coming days."