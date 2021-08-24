The TousAntiCovid mobile application, launched at the end of last year, was developed in the context of the Covid-19 pandemic and in the fight against the spread of the virus. The application, which has received several updates and various features, has recently been the subject of a study and it appears that its users’ personal information could be compromised.

TousAntiCovid: a transmission prevention application

TousAntiCovid was launched by the government and is a mobile application that was launched on October 22, 2020 with the aim of containing the Covid-19 pandemic. More specifically, it’s an update to the original StopCovid application that didn’t work at all for the French.

The application works with low consumption via Bluetooth and makes it possible to search for contacts and warn them of a possible transmission of the virus with an infected person. As part of the “health passport”, a “notebook” with the test and vaccination certificates is integrated into the application.

The application has been examined

On Thursday, August 19, 2021, three researchers published a risk analysis for the mobile application TousAntiCovid on GitLab. According to them, the application could reveal the personal information of its users. It is believed that this issue was due to a new feature that was installed last June.

In fact, a system for generating statistics has been integrated into the application, in particular to evaluate its use and effectiveness. However, this functionality would also make it possible to establish correlations between the various data transmitted to the server and thus reveal certain personal data of the users.

Gaëtan Leurent, one of the three authors of the report, shared the report on his Twitter account and explained the outline of his study in various posts. Gaëtan Leurent is a cryptographer, which means he secures computer systems and information technologies by creating algorithms and numbers to encrypt data.

The study by the three researchers shows that the central server of the TousAntiCovid application:

Your data at risk

The report’s authors explain that the collection of statistics is triggered by a series of timestamped events. The actions carried out by the user are then recorded in a log. One of the researchers explains that “by thwarting the events in the diary, data leaks will occur.”

So when friends often eat together in restaurants, they have almost synchronous events in their respective apps. And that would make it easy to infer that they were in these places together.

Your identity can leak

Another important point of the report is the possibility of tracing back to an identity card from the anonymized user ID of the application. This identity card contains in particular the name, date of birth and vaccination details of the person.

The report claims that it is possible to know the identity of a user and also infer their visits.

“If it crosses this data with the logs of the certificate converter, it can trace the identity of the users.”

Following their studies, the three researchers believe that the government application of TousAntiCovid needs to be improved to reduce the risk of data leakage, and suggest that the various systems involved should be independent.

Ability to disable data collection

If the TousAntiCovid application has been automatically collecting data on every account of its users since last June, be aware that it is possible to disable this feature.

On the mobile application home page, scroll to the bottom of the home page and click the Settings tab. Go all the way down again, the “Statistics and audience measurement” functionality is always activated. If you wish, you can deactivate it and delete your data at the same time.

