Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

Traceability vs. data privacy? The Corona-Warn-App under scrutiny


© Bundesregierung

What do experts in IT security and data protection think of Germany’s Corona-Warn-App? And how do apps work outside their home country? The development is ongoing.

Numerous IT security experts have examined the Corona-Warn-App and attest to its high standard of security. Nevertheless, there are vulnerabilities and risks in the contact tracing process.

The German Federal Office for Information Security (BSI), which also conducted penetration tests (ethical hacking) on the app’s backend, has attested that the Corona-Warn-App offers the highest level of information security. Ulrich Kelber, the German government’s Data Protection Commissioner, also explained in a press release that there were no reasons not to install the app as the data protection was sufficient.

Numerous security experts have analysed the source code published on the GitHub portal and reported any deficiencies they found back to the developers. TÜV-Nord subsidiary TÜV-IT, which checked the app on behalf of the BSI, was impressed by how quickly and in what quality the developers had reacted to any vulnerabilities that were uncovered. This is indicative of a successful development process.

However, there are risks lurking in other areas: “The media discontinuity from the app to the phone hotline is not a good solution,” explains Kelber. Although when they receive a positive test result, users are also supposed to get a QR code to scan in, many laboratories are not yet set up for this. Initially, users are therefore being asked to call the Robert Koch Institute (RKI) hotline to make sure that the data are recorded in the app. But this hotline could also represent a security hole, for example in the event of attempts to trigger false alarms.

There are also potential problems with the interfaces provided by Google and Apple. Researchers from the Technical University of Darmstadt, along with colleagues from the universities of Marburg and Würzburg, have shown that cyber-criminals can identify infected users and create movement profiles of them. Google and Apple are now working on rectifying the deficiencies in these interfaces.

TeleTrusT presents its own analysis

The German IT Security Association (TeleTrusT) hosted its own information session to discuss problems associated with the coronavirus app. Even before the German government’s app was published, a simple search for “corona app” came up with six hits, says one of the association’s security experts. It needed to be assumed that these were copycats attempting to steal user data with bogus apps, he warned. He expected that these apps would continue to proliferate and recommended not searching for the app directly in app stores but using  the official government download links. There are often also other security issues in the Bluetooth interfaces of smartphones, and it is not uncommon for cyber-criminals to exploit these to achieve unauthorised access or steal data.

TeleTrusT also sees a need for action in respect of data protection. Karsten Bartels, a lawyer specialising in data security, called for example for the publication of the relevant data protection documents like the order processing agreement with Telekom and SAP. There was also still no risk assessment as per Art. 32 of the GDPR. “Article 32 is the core standard of the GDPR in respect of technology and security,” explains Bartels. For example, this article requires security measures in accordance with the state-of-the-art. Bartels also criticised the fact that the age from which it was permissible to use the app was unclear. The GDPR calls for a minimum age of 16. The government would need to lower the age to enable the use of the app from the age of 13, says the data privacy expert.

Europe-wide solution still a way off

Thorsten Urbanski, Head of the TeleTrusT Working Group Mobile Security, pointed out another problem: “What happens if you are travelling or on holiday abroad?” he asks. Although similar apps exist in countries like Spain or France, there is no data exchange with them. Anyone who encounters an infected person will not be informed of this by the app. Although EU countries intend to make their apps compatible and extend the warning effect to the entire EU, this is still a long way off. This means that Europe’s citizens are going to have to spend the holiday season without the benefit of this function, during a time when international data exchange would have the greatest impact.

Another article discusses which apps are used in other countries.


You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.

To register for the newsletter