Douglas Leith and Stephen Farrell (Trinity College Dublin)

We report on an independent assessment of the Android implementation of the Google/Apple Exposure Notification (GAEN) system. While many health authorities have committed to making the code for their contact tracing apps open source, these apps depend upon the GAEN API for their operation and this is not open source. Public documentation of the GAEN API is also limited. We find that the GAEN API uses a filtered Bluetooth LE signal strength measurement that can be potentially misleading with regard to the proximity between two handsets. We also find that the exposure duration values reported by the API are coarse grained and can somewhat overestimate the time that two handsets are in proximity. Updates to the GAEN API that can affect contact tracing performance, and so public health, are silently installed on user handsets. While facilitating rapid rollout of changes, the lack of transparency around this raises obvious concerns.

View More Papers

QPEP: An Actionable Approach to Secure and Performant Broadband...

James Pavur (Oxford University), Martin Strohmeier (armasuisse), Vincent Lenders (armasuisse), Ivan Martinovic (Oxford University)

Read More

Towards Measuring Supply Chain Attacks on Package Managers for...

Ruian Duan (Georgia Institute of Technology), Omar Alrawi (Georgia Institute of Technology), Ranjita Pai Kasturi (Georgia Institute of Technology), Ryan Elder (Georgia Institute of Technology), Brendan Saltaformaggio (Georgia Institute of Technology), Wenke Lee (Georgia Institute of Technology)

Read More

C^2SR: Cybercrime Scene Reconstruction for Post-mortem Forensic Analysis

Yonghwi Kwon (University of Virginia), Weihang Wang (University at Buffalo, SUNY), Jinho Jung (Georgia Institute of Technology), Kyu Hyung Lee (University of Georgia), Roberto Perdisci (Georgia Institute of Technology and University of Georgia)

Read More