On Friday, Apple and Google announced they were working on a system that would make it easier for apps from country's health departments to trace the spread of coronavirus while aiming to preserve privacy. The system is designed to use bluetooth low energy to inform a user when they've been in close contact with someone who has self identified as having tested positive for the coronavirus.
This approach will only be effective if the vast majority of people opt into it and are able to get it on their phones, which is one reason Apple and Google are implementing the feature at the operating system level and are letting it work cross-platform. But Android is infamous for having a patchy at best update cycle, with some devices receiving updates and others going without. So how is the company going to push this feature out?
On a call with reporters Monday, Google said it was using the Play Services mechanism to update phones with the contact-tracing system. Not to be confused with the Play Store, Play Services is used to push new features to apps such as Google Maps or install new APIs without requiring a full update of the Android operating system itself.
Do you work at Google or Apple? Do you know anything else about the planned contact-tracing feature? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Google told Motherboard that Play Services is updated automatically, and that it can use Play Services to push the contact-tracting update to phones as far back as devices running Android 6. Android 6 itself is no longer supported by Google and does not receive security updates. In effect, this means Google can force its contact tracing API onto phones without the cooperation of carriers or device manufacturers, and without users having to do anything. Users will still have to opt-into actually using the feature, but, according to Google, it will automatically show up on their phones.
Initially, for the contact-tracing to work, a user will need to download a smartphone app from an official health department which will then use the new bluetooth feature. Later, both Android and iOS will have baked-in user interfaces which can allow users' devices to start some of the process themselves, but will need to download an app later if they do test positive and wish to share that information in an attempt to warn others, the companies said on the press call. The system is designed to do this anonymously through identifiers that change regularly and does not use location data itself, the companies said.
The feature does have some room for abuse, however, especially around trolls and people who may wish to try and game the system to report false positives. A company representative on the call suggested using QR codes that need to be scanned along with an official, positive result. Even if Apple and Google's system does have some protections in place around things like anonymity, how it is actually implemented by individual health department apps is another issue.
Subscribe to our cybersecurity podcast, CYBER.