- The app uses the Google Apple Exposure Notification (GAEN) framework
- Third-party apps are not supposed to have access to app codes
- CoronaMelder app will not send warnings about potential infections for two day
The Netherlands’ Ministry of Health, Welfare and Sport announced that is disabled its COVID-19 contact-tracing mobile app after it was discovered that users private data was collected by other programs Google installs by default on Android phones.
The CoronaMelder app will not send warnings about potential infections for two days, the health ministry said, after the data leak was discovered.
The app uses the Google Apple Exposure Notification (GAEN) framework – just like many other similar apps used throughout the EU. It works using constantly changing randomly generated codes exchanged between phones close to each other – and sends warnings to those who were in contact with someone who later tested positive for COVID-19.
Third-party apps are not supposed to have access to these codes. However, it turned out that this was not the case on Android phones, and apps installed by default were very much capable of reading the data.
In a statement, the government said this was a ‘violation of the Temporary Act on notification application [for] COVID-19.’ The breach was first discovered by an EU-wide eHealth Network and reported to the Netherlands on April 22. An investigation was launched shortly after, prompting Health Minister Hugo de Jonge to temporarily suspend the app, even though Google ‘indicated’ that it had fixed the issue.
The government is not taking any chances, though, opting to make sure the issue is solved before allowing the app to resume functioning. It will use the two days to “investigate whether Google has actually fixed the leak,” the ministry’s statement read.
According to Google, the problem lay with ‘random Bluetooth identifiers used by the Exposure Notification framework’ that were ‘temporarily accessible to a limited number of pre-installed applications.’ It also said that the data provided by the identifiers ‘on their own have no practical value to bad actors,’ adding that the third-party apps’ developers were likely unaware the data was available.
Google also promised that the fix would be ‘available to all Android users in the coming days.’ The Dutch app had been downloaded by 4,810,591 people as of April 27, according to its website.