Earlier this year, the Linux Foundation Public Health (LFPH) began the process of performing third-party security audits for two COVID-19 exposure notifications apps. The audits were performed to improve the overall security of the source code that’s used by public health agencies (PHAs) around the world. Because of these audits, multiple issues were resolved proactively by both teams, and the major findings of these audits show that both frameworks are generally safe to use.
Such audits improve open source software. They are a benefit of belonging to an open source community that values transparency to drive better solutions that impact people, companies and organizations down the line. The pandemic has presented a grave challenge to public health, and LFPH is committed to doing its part to hasten the collective defenses.
The apps, COVID Shield and COVID Green, underwent rigorous third-party security and privacy reviews by the independent, non-profit Open Source Technology Improvement Fund (OSTIF), which selected Dr. Nadim Kobeissi from Symbolic Software to perform the audits. Dr. Kobeissi was chosen to build the threat models and lead the review due to his prior experience reviewing exposure notification applications. As a result of these audits, both applications have implemented improvements to remediate potential issues.
A public security audit is a great way to test the quality of open sourced code and, more importantly, to test the resiliency of its security practices. COVID Green and COVID Shield are widely used by health authorities across the U.S., Canada, and Europe, making it imperative that they adhere to the highest levels of security best practices.
The report covers the process, what has been reviewed, the issues that have been identified, and how they have been addressed.
The full report from OSTIF and Symbolic Research can be found here.
Security goals and findings
COVID Shield was developed by a volunteer team at Shopify and is being deployed in Canada. COVID Green was developed by a team at NearForm as part of the Irish Government’s response to the pandemic. Since being deployed by Ireland’s Health Services Executive four months ago, the app built off of COVID Green has achieved extraordinarily high adoption of over one-third of the country’s adults. COVID Green has also been deployed in four other countries and four US states. Both apps are available for other PHAs and their IT partners to use and customize, and will soon be joined by other open source projects hosted by LFPH.
In order to meet the high expectations of a pandemic exposure notification application employing the Google Apple Exposure Notification (GAEN) framework, COVID Green and COVID Shield were tested for the following criteria:
- User Privacy
- Authentication Between Client and Server
- Data Integrity
- Service Availability
The audit found several issues that have now been addressed. In COVID Green a potential denial-of-service (DoS) through diagnosis key flooding and potential diagnosis keys reuse (possibly leading to false exposure notifications) were found. In COVID Shield it was determined that the tests failed to generate random keys (reducing test coverage for a critical part of the application’s functionality). Note again that all of these issues have been fixed.
Some further changes were recommended for the future:
- COVID Green: Avoid SMS-based notifications and instead rely on in-app notifications and on direct communication with medical practitioners.
- COVID Green: Statistical data figures are overly precise
- COVID Shield: Clarify the security guarantee, as it depends on actions performed server-side in the current deployment that other deployments might not perform.
- COVID Shield: Prevent incorrect diagnosis key timestamps (this data is discarded in the current deployment, so it is not considered a serious concern).
The issue changes were all reviewed and either resolved or determined to be choices intentionally made by the Public Health Authorities (PHAs) issuing these apps and so out of scope of the study. We hope that through making public the security audits and processes, we instil more trust in the use of these apps to fight this deadly pandemic, help PHAs securely deploy such apps, and also to inspire other projects to pursue audits in their respective open source communities.
Please contact the LFPH at firstname.lastname@example.org to better understand how PHAs can utilize these ready-to-go codebases complete with security audits, and get connected to teams that can help develop exposure notification applications.