EXPERT REACTION: COVIDSafe app released, but does it work on iPhones?

• Does it drain batteries?

Yes.  The large reason the app is unpopular in Singapore is the impact on phone battery life.  This is because (a) to be at all useful the app needs to be running all the time, and running consumes power. Constantly transmitting and listening for Bluetooth pings consumes power no matter how you do it.  Bluetooth is designed to be low power but even low power adds up to a lot of battery drain when done over a long period.

There is a chance the government could persuade Apple and Google to make some changes to their phone operating systems to allow the way the App interacts with the phone to send the beacon pings consume a bit less power, but you can’t escape the fundamental truth – transmitting radio energy consumes power - that’s physics.

• Have issues with IOS been solved and does the app work in the background?

To my knowledge the issues with IOS have not yet been solved.  They require Apple to make changes which would potentially weaken the security and privacy of their phones and reduce battery life so Apple will be reluctant to make them but presumably the Government will have the potential to exert pressure on them.

• Should we be downloading it without the code being released?

No, not unless there is an emergency reason.  Using it before it can be publicly scrutinised is like taking medication before there have been independent trials.  Testing is extremely important because early phase errors are so likely.  This app is potentially quite invasive and intrusive on your phone so the stakes are higher than for most Apps.  At the moment I have not seen *any* fully independent reviews of the source code.  Extensive pre-installation scrutiny is important to check that the app does not accidentally weaken the security of the phone in unexpected ways (this often happens with new code, especially code rushed out with minimal time for testing like this).

All apps drain an end-user's batteries (some are more inefficient than others). The greater the number of sensors used by the app, the faster the battery will drain. E.g. if you are playing video games or on a Zoom call with video then battery depletes REAL quick because sensors are being used. This is amplified when using bluetooth or GPS or hotspotting using wifi etc. The more sensors are "on" and "active" the faster the battery will deplete. Interestingly this does not affect the sensor performance for the greater part - i.e., the GPS will work accurately etc even when battery is low, but the battery life will be low. Battery life is the amount of time a device runs before battery needs to be recharged.

Some apps can work in the background and don't have to be refreshed too often; Australian COVIDSafe App doesn't seem to be able to run in the background; rather it needs to be "open" and "active". The site note is very confusing for the average iOS user-- turn the phone so the screen is dimmed etc 

I am very concerned that the concept was tested but the app was not tested "in the field" in "real-time" with different handset types. Just because a piece of code executes it doesn't mean it is bug free or design error free. Here we have a purported app that allegedly works (I don't know how the user will be sure it is actually working as it should be) and we have not tested this for performance, battery usage. How much market share does iOS have in Australia? Significant. Forty percent according to Statista.

The other thing that no one seems to mention too much is that not everyone has the BLE sensors needed in their handset, to make the App even work? What investigation was done into this? Did anyone take into consideration issues of in-building monitoring as bluetooth devices everywhere- pair to printer, to car, to earphones, to FitBit etc?

• For Apple iPhone Users

For IOS users (Apple) the problem is amplified as the end-user needs to turn on the in-app power save mode which handles performance management of the iPhone.  This is basically an analysis of battery power needs of the app versus the battery power capability of the phone. Every user hopes for a longer lasting battery as they don't want to be in a situation where there is an emergency and they cannot use the voice part of the phone.

Unfortunately IOS version 13 has come under immense scrutiny for the battery hog that is its operating system, not that everyone that uses Apple products has the latest smartphone. Some people have reported just a few hours battery life while others say it can last up to 7-8 hours easily; the real figure is somewhere in between for 'average number of apps' downloaded.

• Overall thoughts

"There is a major chink in the design. And little attention was placed on user device performance. We haven't done enough field testing and this means the device will likely not work as it drains people's batteries which may well be a greater hazard than COVID, given Australia's current COVID numbers.

A lot of companies that develop software that require battery data and sensor data, have complexities when they want to launch to a market beyond Android users. This is well known in the industry. But such is the brand for Apple that they want to maintain their competitive edge, and "privacy-enhancing" devices.

iPhone users may well give the app a go, but when they realise how fast the battery drains, they will quickly uninstall the app as it will inhibit the rest of their productivity on the device. So this is certainly an issue we have to consider, but does show the government did not do comprehensive testing. Would we deploy a half-baked vaccine for the people before it is ready for human testing? The answer is no. Thus we should not do so for apps."

• Should we still go ahead and download?

"This is an individual user choice. Android is built on open source. Some people have downloaded the software that is similar for COVID Safe from Github and other locations, and gone through line by line. Some technical developers are saying "it's legit" and there is nothing to fear about downloading; if anything that it will make individuals more secure. We are speaking however of best practice, and the government has not achieved this.

How long will the app be "on" once installed? Is there a sunset clause? What are the limits of the tracing. Are we sure that future iterations of the App will not have a location-tracking element? What about the weaknesses in the current Privacy Impact Assessment released? How will these be addressed? And what about legislation to protect citizenry from possible misuse? And what of the fundamental design specification? All these things have yet to be addressed.

May this App create a "false sense of security". Relaxing of hygiene practices and more? The attitude that says: "I can be out n' about now, because I have the App". Ahum. Watch this space. The paradox? The more security we perceive we have, the more insecure we actually are.

• Have they solved the issues with IOS and does the app work in the background?

"Hard to say. The key technical info is missing, despite this being the key to people feeling well enough “informed” to give their consent by registering.

The greater level of security, and its gradual tightening over time, mean that iOS is generally safer and more restrictive than Android, which notoriously prefers ‘freedom’ for developers rather than security that comes from locking components of the software environment down against each other.

It is still unclear whether the iOS version runs in the background, there is inconsistent information, conflicting reports and plausible explanations either way. This is why Australian Privacy Foundation, and a hundred or so researchers and technologists, have separately called for release of the key technical information."

• Does it drain batteries?  

"Again, impossible to say. There are some uses of iOS Bluetooth that cause a heavy drain, and others that are more frugal. People with low charge levels are more likely to care, and to trigger more frugal modes that may block the app function here. Note also that Bluetooth is flaky and not particularly secure, and there are reasons why you might ordinarily leave it off unless you are using it, not just those related to battery."

• Should we be downloading it without the code being released?

"This is the unfortunate question created by the government’s reliance on attempted persuasion rather than providing the full information needed for “informed consent” prior to releasing the app, and their preference for avoiding wide consultation and review by expert and civil society bodies. In principle for something like this that potentially creates a centralised store of social graph information, reliant on legal and technical fixes for protection, you would advise caution. The public health concerns are however also very important, which is why it is hard. Although even here without the provision of proper technical and risk information, it is hard to assess the likely impact of the app in addressing potential outbreaks following relaxation of suppression tactics like lockdown, and thus hard to assess ‘necessity and proportionality’ the key criteria for justifying intrusive uses of personal data.

UPDATED COMMENT:

We have run more experiments with the app and monitored the Bluetooth communication. It appears that the iPhone version of the application will only work in background mode when communicating with another iPhone that has the app running in the foreground. When communicating with an Android phone, the iPhone app needs to be running with the screen on to communicate effectively. The app can safely run in background mode on an Android phone.

This problem may be fixed when Apple releases its changes for tracking with Bluetooth but until then, if you are running the app on an iPhone, it needs to be running in the foreground when you are out and about. The phone can be set into low power mode so that the app does not drain the phone.

Clearly this is not ideal but the full nature of the problem only became apparent after testing. Apple’s documentation would lead you to believe that it should be technically possible to run the application in the background, but this is not the case."

PREVIOUS COMMENT:

"It appears that the app is largely based on the Singapore TraceTogether app with some differences to integrate infrastructure and services provided by Amazon AWS and to collect a name, postcode and age range in addition to a telephone number. The data appears to be kept locally and only uploaded with the consent of the user.

The developers seemingly have solved the issue of needing the application to be in the foreground and so once launched, the phone can be used normally.

On the iPhone, the app will not run as efficiently in background as it would in foreground mode - however it is likely that it will still work. It is constantly scanning for other phones and so it doesn’t really matter if it isn’t 100% as functional.  We still need to test this by looking at how many “pings” it sends out when in background mode - but I would fully expect the developers to have done this. It would be ridiculous to release an application that doesn’t work in the background if it explicitly allows you to do that. 

At this time, the application does not seem to consume significant power.

Because the Android app is able to be reverse-engineered, it appears that the Government is not going to be too concerned about the privacy of the code and so will likely release it for more extensive review.

Analysis is still ongoing to look for other flaws, but for the time being, the app should be downloaded and used as fundamentally, it is designed to assist in keeping people safe and well. The risks appear at this time to be very low.