SecureMac, Inc.

Checklist 181: Tech Takes on Coronavirus

April 16, 2020

This week, Ken looks at the Apple/Google team-up on contact tracing, Apple’s use of Maps data to fight the spread of COVID-19, and a story about brand phishing that’s not coronavirus related. Mostly.

Checklist 181: Tech Takes on Coronavirus

This week on the Checklist, we’ll tell you more about:

Apple and Google join forces

Apple and Google are more accustomed to competing than cooperating — but in these extraordinary times, they’re putting aside their usual rivalry for the common good. The two tech giants are teaming up to develop a contact tracing tool that will help public health authorities slow the spread of Covid-19.

In epidemiology, contact tracing is the process of identifying people who have come into contact with an infected person, and then following up to gather more information about those contacts. The goal is to gain insight into how an illness is spreading — and to take steps to slow it down.

So how are Google and Apple planning to assist in contact tracing while at the same time protecting individual privacy? In a word, Bluetooth.

Bluetooth is the short-range data transfer protocol that allows nearby devices to set up quick connections (It’s what your iPhone uses to connect to your AirPods, for example). All mobile devices nowadays come equipped with Bluetooth transmitters and receivers. By leveraging this ubiquitous technology, and using secure cryptographic protocols, Apple and Google hope to create a system whereby mobile devices will broadcast an anonymized beacon to other nearby devices, while at the same time listening for other people’s beacons. The end result will be a record of devices that have been in close proximity to one another, but a record that will only be kept on the individual devices, and not transferred to a remote server controlled by someone else. 

If someone tests positive for Covid-19, they can give permission for medical authorities to upload their device’s data to a centralized server, which will then broadcast that information to other devices that have come into contact with their phone. Again, this will be done using cryptography in order to protect individual privacy. If you get an alert on your phone letting you know that you may have been exposed to Covid-19, then you’ll be able to take follow-up steps like self-isolation or early testing.

Of course, all of this raises some serious questions about efficacy, implementation, and privacy.

First, it’s important to ask if the proposed system will be compatible with older devices. Apple says that it intends to make any contact tracing tool available to the widest possible number of users. As it is, around 75% of iOS users are already using the most up-to-date OS, iOS 13, so with additional measures taken by Apple, we can expect fairly comprehensive coverage of iOS users from the system. Google is known for having a large user base of people who are still running older OSes, but the company says that it anticipates that the new contact tracing tech will work for anyone with Android 6.0 or newer, which covers about 85% of Android users.

Another factor that bears on efficacy is that a pretty substantial number of people will have to opt in to the system for it to work. According to researchers at Oxford University, something like 60% of the population would have to be using the tool in order for it to be effective. But will that many people really sign up for contact tracing technology on their phones? Some are skeptical, including lawmakers like Senator Richard Blumenthal, who has warned Apple and Google publicly that they have a lot of work to do in order to persuade the public that their new tracing tool really protects privacy. But many people will likely consider the potential privacy risk a reasonable tradeoff for a chance at stopping Covid-19 and helping life return to normal.

In terms of implementation, Cambridge University researchers point out that regular testing and official verification of reported test results will be necessary in order for the system to be a success. The issue of testing — both in terms of availability of test kits as well as the political will to carry out mass testing — will vary by locale. But verification shouldn’t pose too much of a problem: Apple and Google already say that they will put safeguards in place in order to make sure that people aren’t falsely reporting themselves as having tested positive for the virus, perhaps by leaving the uploading of data to the central server entirely in the hands of medical authorities.

In terms of privacy, there is reason to be optimistic. Apple and Google seem serious about the issue, building multiple cryptographic safeguards into the draft version of the system. In addition, the tracing tool isn’t going to record or reveal location data, and is only designed to tell you whether or not you’ve encountered someone with the virus in the past 14 days. Furthermore, only public health authorities will have access to the API needed to create a tracing app, which will prevent third parties from abusing the new tracing functionality to create things like privacy-invading marketing apps.

In terms of the timeline, Apple and Google say that it should be possible for public health authorities around the world to create local tracing apps with the API starting in mid-May, with further refinements and functionality expected in the following months. 

Which brings us to the final question: When an app arrives in your area, should you trust it? There’s no easy answer to that question, because nothing is foolproof, and oftentimes questions of privacy boil down to how much you trust the people implementing and controlling a given system.

So far, Apple and Google have taken steps that genuinely inspire confidence, but it remains to be seen how public health officials around the world will use the tool. It’s possible that some less-than-trustworthy governments will attempt to use the API in ways that Apple and Google did not intend, which could be a cause for concern. Nevertheless, for many of us, an opt-in tool, with opt-in diagnosis reporting, managed by Google and Apple, and under the control of public health officials who are accountable to elected representatives, would be an acceptable privacy risk when balanced with saving lives and reopening our economies.

Mapping mobility in a pandemic

Apple has released a new web based tool that allows anyone who is interested to see how people are moving around during the pandemic — providing insights into whether or not they’re following recommendations to stay home and avoid unnecessary travel. The tool uses data from Apple’s Maps app to display a graphical overview of trends in walking, driving, and public transportation for major cities around the world.

Apple says that their aim is to allow government officials to make informed decisions about public health policy. For example, if it became apparent that people in a given area were not staying at home, and were therefore thwarting efforts to stop the spread of Covid-19, the local health authorities might deem it necessary to close public beaches or implement stricter quarantine policies. 

It’s important to note that Apple isn’t reporting on the actual location of users, or the mobility trends of individuals. The data is based on counting the number of requests for directions made to Maps, and is presented in aggregate form only (a full CSV dataset can be downloaded from the site for those who are interested in seeing what it looks like). In addition, the data sent from your mobile device to the Maps service is not associated with your Apple ID, but instead with random, rotating identifiers — in other words, Apple has your data, but they don’t know that it’s your data!

While this may still seem intrusive to some people, Apple’s position is that they are trying to contribute to a better understanding of group behavior while still respecting individual privacy, with the end goal of giving decision makers the information they need to save lives.

Phishing with brands

Imitation may be the sincerest form of flattery, but there are definitely times when it’s a security threat as well: Researchers at Check Point say that Apple is now the most imitated brand in phishing attacks.

Brand phishing is a type of phishing attack in which bad actors attempt to impersonate a known brand by using a lookalike website with a similar domain or URL. Links to the malicious site are sent out by email or text message; users may also be redirected to it during web browsing or via a fraudulent app. These sites often contain bogus web forms designed to steal personal information, login credentials, or payments.

With regard to phony emails and texts from “Apple”, there’s a pretty easy way to protect yourself: Don’t click on links that come in your email, and use Apple’s website instead. If you get a link telling you about a great new deal on an Apple product, don’t click on it: Simply navigate to in your browser and look for the offer there. If it’s legit, you’ll be able to find it on Apple’s site. Similarly, while Apple typically won’t need to contact you about billing, if you do get an email about some financial issue with an App Store or iTunes purchase, it’s much safer to navigate to the site or service in question, log in to your account, and view your purchase history from inside the App Store, iTunes, Apple Music, etc.

In terms of why Apple has suddenly become so frequently impersonated, well, say what you will about hackers, but they’re nothing if not adaptable: Researchers suspect that the popularity of Apple in recent phishing attacks is due to public interest in the rumored-but-not-released Apple Watch Series 6. They’ve also noted a surge in attempts to impersonate Netflix and PayPal, as well as an increase in mobile phishing attacks — all of which is likely due to the fact that more people are staying at home during the pandemic. 

In addition to brand-based phishing attempts, there has also been an increase in fake websites tied to Covid-19, which we talked about a few weeks ago. Here too, it’s important not to click on links that come via email or text, and to do your best in these uncertain times to rely on trusted, well-established sources of information. If you want public health or medical information, visit the website of the World Health Organization or the Centers for Disease Control. In general, try to get your news from a reputable news outlet that you know and trust, whatever that means to you.

Since there is so much fraudulent activity going on right now, it might also be a good time for a brief refresher on how to avoid common scams and keep yourself safe. Here are some topics we’ve covered on past Checklists that might help with this:

  • Checklist 37 provides a complete introduction to phishing, including less well-known types of attacks
  • Checklist 43 covers the topic of spam (and how to avoid it)
  • Checklist 45 talks about social engineering, the human element in hacking
  • Checklist 68 shows you how to guard against scams that target the elderly
  • Checklist 139 explains two-factor authentication, which can protect your accounts even if hackers somehow manage to steal your passwords

All of these are great resources for self-study, but they’re also perfect for sharing, because while regular Checklist listeners are fairly savvy when it comes to security, not everyone is a regular Checklist listener! If you have a coworker, friend, or relative who might need a little bit of help with digital security and privacy, especially right now, take a moment to share a couple of these episodes so that they can keep themselves safe.

And of course, if you have a security question we can help you with or if you want to suggest a topic for an upcoming show, please feel free to write to us at We’d love to hear from you!

Join our mailing list for the latest security news and deals