Today, the long awaited NHS COVID-19 app has released in England and Wales after months of delays and problems. The app officially went live at 12am (on the 24th September 2020) and is free to downlad on Apple's App Store and on the Google Play Store. 

Now the first thing that comes to mind about a COVID-19 track and trace app is obviously privacy and let's be honest, a government app rings alarm bells when it comes to privacy. However, the difference with the old NHS COVID-19 app that was in testing and the current NHS COVID-19 app that's been publicly released, is that the new COVID-19 app available is open source. The fact that this NHS COVID-19 app is open source makes me feel a whole lot more at ease with having it on my phone. Security researchers and the general public can look at the app's source code on GitHub to see if the app has any code which can compromise your privacy by giving away location data, phone make and IP addresses. So far, nothing in the code that I've personally looked at has alerted me with privacy being compromised when being installed and used but it's always good for yourself to look and inspect the code and make a judgement to install or not.

If you want to know more about how the app works while maintaining your privacy, please scroll down to the end.

When you have installed the app either on the Google Play Store or the App Store, you will be presented with a screen asking if you are aged 16 years or older. 16 years of age is the minimum age required to use the app. Confirming your age, you then have to input the first part of your post code. This is the only information the app collects from you and doesn't identify you personally. From there the app automatically sets up and you're ready to go. 

This is the main screen of the NHS COVID-19 app:

On the home screen of the app it has quick options are clearly listed for the user. The NHS COVID-19 app tells you the COVID-19 alert level in the area you live in at the top of the screen. When you click on this, the app tells you to follow national guidance set by the Government depending on the level. 

The three levels you can get on the app are:

- Low 

- Medium

- High

Security and Privacy:

With an app like this that alerts you of people you've been in contact with, it's important that privacy is protected and security is strong. 

Below is how the app protects your privacy:

  • Bluetooth only

The app only uses Bluetooth and not GPS. This means that your location cannot be recorded and sent to a server for tracking and monitoring purposes. Bluetooth is used to scan for other Bluetooth frequencies that the NHS COVID-19 app sends out and once a connection is made, randomly generated codes from the app are encrypted client side and sent to the other users phone. Client side encryption is important for security and privacy because it prevents MITM (Man In The Middle) attacks from knowing the codes sent from the app. If an attacker is able in intercept the codes from the app, the attackers (black hat hackers, Government agencies) cannot read the code because they are encrypted. 

For example: 

Non encrypted code: AA14VCS 

Encrypted code: 2cxlee4)arvri49/crrwj239fvfAAKnm4552)sadcr93231

  • Cannot see personal information

The app's code has been designed to not be able to monitor or read your contacts that are stored on your phone, your text messages and images. Therefore, the app cannot identify you personally or identify phone information like model numbers, personal phone numbers or monitor other apps installed on the phone.

  • The NHS COVID-19 app uses Apple's and Google's Exposure Notification API

Apple and Google have created a Exposure Notification API that COVID-19 apps use. The API respects the users privacy by doing the following things:

(Image credit: Google)

  • Open source software

The NHS COVID-19 app is open source and the code can be viewed on GitHub. Having the app open sourced is important because security researchers can inspect the code and make sure the app is safe to use for protecting your privacy and having strong security. Apps that are closed source is bad because the developers can insert malicious code into the app that can compromise your security and privacy.  

Lastly, even though these security practises are in place, remember that nothing is bullet proof. You're security and privacy could still be compromised due to human error but don't be alarmed by this. As the app is open source, you can inspect the code for yourself and make a judgement on installing the app or not. It's very unlikely any malicious code will be inserted into the app as security researches are inspecting the code all the time. 

NHS COVID-19 APP SOURCE CODE CAN BE VIEWED HERE: https://github.com/nhsx


You'll only receive email when Kieran's Blog publishes a new post

More from Kieran's Blog