(Image: AAP/Scott Barbour)

How many Australians have to download the Morrison government’s surveillance app for it to be effective in helping health authorities trace contacts of people who have tested positive for COVID-19?

At least 40% of the population, says Scott Morrison.

Not 40%, say bureaucrats from the Department of Health. In fact, they hadn’t suggested a target at all, they told a Senate committee hearing yesterday. The 40% figure seems to be an invention with no public health basis, despite the prime minister’s certainty. On current download rates, the app is unlikely to reach Morrison’s benchmark any time soon.

Some in the media have accommodated this by shifting the goalposts and pretending Morrison meant phone users, or even adult phone users.

It certainly can’t mean iPhone users since the app doesn’t work properly on those devices, as bureaucrats admitted yesterday — contradicting Government Services Minister Stuart Robert, who declared it was fine on iOS devices.

The Senate committee also heard that phones of different generations may have trouble exchanging information, especially if the app is only running in the background. Meantime, state and territory governments have yet to finalise arrangements to actually start using the data collected by the app.

As cybersecurity experts get time with the app to see how it works, more in-depth analyses are emerging that have exposed potentially serious flaws that could be easily exploited.

Software engineer Jim Mussared says he supports the app and its goal of saving lives but wants people to be aware of its risks. He released a detailed account of several significant problems he had discovered in the app and which he advised to the Department of Health and security agencies within hours of the app launch.

One issue, which the Australian app has inherited from its source code, the OpenTrace app, means the app will broadcast the same ID, rather than regularly changing that ID, to certain devices, enabling the app to serve as a de facto tracking device.

Another problem, introduced in the Australian version of the app, also generates identifying information about the phone on an indefinite basis, again enabling the app to be used as a tracking device if a receiver has the right software.

The problems mean that it is trivially easy for someone to write an app, or construct a receiving device, that can track the movement of a particular phone over an extended period. This isn’t an issue about government surveillance (that can be done perfectly easily with mobile phone metadata and a warrant) but about abuse by malicious actors.

“Stalkerware” — apps and devices that allow someone to monitor the phone of a family member, intimate partner or anyone else whose phone they can access — is a growing market that enables domestic abusers to purchase the means to surveil and control their victims, usually without the latter knowing how. As Mussared notes in his paper, the app flaws “would be especially worrying to victims of domestic violence (also note that the issues described here do not require access to an unlocked phone).”

Fortunately, in each case, the problems are relatively easily fixed or relate to app features that are unnecessary, and could be addressed with an update to the app.

But they also appear to reflect the haste with which the app has been developed by the government, without adequate testing, especially by experienced cybersecurity experts like Mussared who can run the kinds of tests that have exposed its potential for misuse. The fact that state and territory governments are still not ready to use the information it will provide suggests the urge to be seen to do something took priority. That haste means the chance for a relatively trouble-free launch of a functional, well-tested app was lost.

Do you trust the CovidSAFE app? Let us know your thoughts at [email protected]. Please include your full name if you would like to be considered for publication.