A new poll has found that more than half of Americans are either unwilling or unable to use COVID-19 illness tracing applications as researchers warn that the apps present a security risk.

A Washington Post-University of Maryland poll released today found that of the 82% of Americans who have smartphones, willingness to use contact tracking apps was split. Half said they would definitely or probably use such an app and the other half said they probably or definitely wouldn’t.

Some 59% of smartphone users said they would be comfortable with using an app if they tested positive for COVID-19. The number drops when it comes to support for Google LLC and Apple Inc., the two tech companies co-designing an app for the U.S. market, with only 43% of smartphone users saying they had a great deal or a good amount of trust for the companies.

Both Apple and Google announced they were working on the technology April 10. Apple released a developer preview of iOS 13.5 that includes the first version of the coronavirus tracing feature today.

The service uses Bluetooth and randomized tokens to broadcast and scan for others who are also using the same app in close vicinity to the user. If a user tests positive for COVID-19, an alert is sent to any people who came into contact with that person, letting them know they may have been exposed.

COVID-19 tracing apps in different forms have grown in popularity over the last month as governments worldwide look to technology to manage the pandemic better. In the U.K., the National Health Service is working with Google and Apple, while other countries, such as Australia, have used technology first developed in Singapore.

The fact that data is shared raises security concerns. While the intent of the apps may be noble in attempting to address the COVID-19 pandemic, that doesn’t necessarily make them safe.

“The COVID-19 contact tracing applications are made with the best intentions during an unprecedented time but like most applications that collect users’ geographic locations and personally identifiable information, they have the potential to be manipulated into malicious tracking devices,” Erez Yalon, director of security research at application security testing firm Checkmarx Ltd., told SiliconANGLE. “While speed is critical in rolling out these tracing applications, a quick-to-market process might lower the focus on security and privacy, creating more issues than solutions for end-users.”

Yalon said it’s critical that before the applications are rolled out, the design has security at the center, such as threat modeling methodologies and code reviews that are conducted manually by professionals or automatically by application security testing and software composition analysis tools. “Post-release, developers must constantly test the applications for security vulnerabilities and be on high alert to deploy patches as needed to safeguard users,” he said. “Given the potential data that is monitored by these applications, they’re likely to be front and center on adversaries’ target lists.”

Joshua Berry, associate principal security consultant at electronic design automation company Synopsys Inc., noted that the contact tracing applications use Bluetooth Low Energy advertisements to send and collect messages to identify contacts made with other users.

“In the case of a contact tracking app, the message content sent to devices over BLE contains data that is intended to be passively collected and stored by the mobile application,” Berry said. “A mobile application that only performs this basic functionality would not alone present sufficient functionality for an attacker to be able to exploit to gain control over a mobile device. An attacker could attempt to overload a user’s device with BLE messages that appear to the mobile device as sufficiently valid to store, which could cause the application to not function as desired or to later receive false-positive contact notifications.”

Image: Google