SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 186: Catching Up on Contact Tracing

Posted on May 22, 2020

This week, we’ll bring you up to speed on Big Tech’s efforts to fight Covid-19. 

Reinventing the wheel

Back in April, we told you about Apple and Google’s joint initiative to develop a cross-platform Covid-19 contact tracing tool. In subsequent weeks, we discussed some potential concerns about the project, and we talked about how different countries were planning to use — or not use — the technology.

Several countries announced that they would eschew the “Silicon Valley” version of contact tracing, and would instead be creating their own tools independently of Apple and Google. However, the “go-it-alone” contingent is finding out that this may be easier said than done.


The problem is that — absent the help of the iOS or Android API  — it’s not at all straightforward for a third-party contact tracing tool to make the OS behave as it should. Apple and Google designed their API to allow a tracing app to run constantly in the background (whether or not the phone was locked or unlocked). But due to privacy concerns, all of that functionality is restricted for third parties, which makes it rather difficult to build a tool that does what it’s supposed to do. A contact tracing app that shuts off when it’s in your pocket is, well, not exactly ideal. In addition to this, the normal privacy restrictions in iOS and Android limit data collection for third party apps, which will complicate efforts to gather the sort of information needed by public health authorities to track the spread of the virus and make smart decisions about what venues can and can’t be reopened. 

So how are things actually going in specific countries that have developed their own apps? Frankly, not great.

In the United Kingdom, the National Health Service (NHS) app appears to cause significant battery life issues — and that’s the least of its problems. In addition, experts have found multiple security flaws in the app, including a vulnerability that could allow hackers to send out bogus exposure notifications, evidence that law enforcement may be able to access unencrypted data on mobile devices running the app, and indications that the app makes it very easy to identify specific individuals who are using it. In view of the many issues with the NHS app, British officials are reportedly considering the possibility of scrapping it and switching over to the Apple–Google API, but no word yet on what they will decide.

Australia, for its part, has already had enough of going solo. After discovering that their app couldn’t run in the background on iPhones — which is pretty much the same as saying “it didn’t work” — they’ve decided to move to the iOS and Android API released earlier this week. 

Meanwhile, at least one U.S. state appears determined to chart its own course, independent of Silicon Valley. Utah has announced that it will release a Covid-19 contact tracing app called “Healthy Together”, built by social media startup Twenty. The app is already raising concerns, however, as it appears to abandon the concept of user privacy altogether. It relies on GPS and cell phone tower location data, and requests access to the contacts list of the mobile device on which it is installed. It also shares information with public health officials and even members of the development team. Whether that will be enough to discourage Utahns from using the app remains to be seen, but Healthy Together may face more serious problems than a lack of public confidence. If Australia is any indication, the app may not work well in the background on iOS without Apple’s API, which would render the tool ineffective for many users.

iOS 13.5 is here!

While some countries and states struggle with DIY contact tracing apps, Apple has already released the first version of its Exposure Notification API as part of the iOS 13.5 update.

The API, to reiterate, doesn’t do anything by itself — it’s just the framework that will allow legitimate public health authorities to develop apps that will work on iOS. The API will only be made available to one app in each country, although there may be some exceptions for countries that need to take a region-by-region approach (in the US, for example, several states will develop their own local apps).

In keeping with the focus on privacy, the API is turned off by default. In fact, you can’t even turn on the “Covid-19 Exposure Logging” option until an app that can use it has been installed on your phone. In effect, this will create a kind of “double opt-in” for people living in places where such apps become available: They’ll first have to download the actual app, and then enable Exposure Logging as well. If you want to see where to access those options on your iPhone, go to Settings > Privacy > Health > Covid-19 Exposure Logging.

The same iOS update also introduced some new features that are clearly designed to address issues brought on by the pandemic.

Face ID got a helpful tweak that will come as welcome news to many users who were frustrated by the delays caused by their phones trying (and failing) to unlock when they were wearing masks. Face ID will now be able to recognize if you’re wearing a mask, and will offer you an immediate passcode prompt if you swipe up from the bottom of your phone. Previously, the passcode unlock option would only appear after a slight delay — not a big deal under normal circumstances, but obviously pretty annoying if it’s happening multiple times per day.

In addition, users of FaceTime group calls will now be able to disable automatic prominence for the current speaker’s video tile. While it’s normally fine for quick chats with friends, the automatic prominence feature gets a little distracting (not to mention vertiginous) over the course of a long meeting or study session with multiple participants. 

We recommend enabling automatic updates in all but the rarest of cases, but if you haven’t set that up yet, or if you’ve simply opted to stay with manual updates for your own reasons, you can upgrade to iOS 13.5 by going to Settings > General > Software Update. Once there, you will see the option to download, and then install, the newest version of the operating system.

That closes the books on this Checklist, but we’ll be back next week with a new episode. In the meantime, stay safe — and be sure to drop us a line if you have a security question or a topic you’d like to see covered on a future show!

Join our mailing list for the latest security news and deals