UK Covid19 Track & Trace App on Android – Update

The UK Government for England and Wales Coronavirus contact tracing app went live on 24 September 2020. I have been using this app since and monitoring its performance as well as comments from users on the Android Play Store.

Permissions

On the Google Play Store, the following are the permissions that need to be enabled to run the England/Wales contact tracing app:

  • Camera (so that you can scan QR Codes in various locations)
  • Pair with Bluetooth devices
  • Run at startup
  • View network connections
  • Full network access
  • Prevent device from sleeping

What is doesn’t tell you is that you also need Location Services turned on for Android 10 and earlier. Android 11 does not require Location Services to be switched on as well, but at the time of writing Android 11 has only just been released and is not currently on any non-Google Android phones.

You also need to suspend battery optimisation and allow to run in the background otherwise the app is put to sleep when you lock the screen or stop using it.

The Google/Apple policy states that only national public health authority issued apps can use the built-in contact tracing technology (which was deployed via a Play Store update on Android) and that these apps are prohibited from tracking the users location through the app.

App Battery and Network Usage

Over the past week I have been using the app, the battery usage has been negligible as you can see from the screenshot. This shows the battery usage since the last charge which would have been a few hours previously. However, I can assure you that the battery usage on my device is 1% or less over a full day.

The network usage has also been fairly minimal, although the screenshot only shows the mobile data usage. The additional WiFi data usage is 3.54Mb over the same period (at the moment I am on WiFi nearly all the time).

Some people have reported significant battery drain when this app is installed. This has not been my experience. However, as I am largely working from home now, it doesn’t get to exercise these functions that much. The battery drain is probably due to other apps having access to Bluetooth and Location services which are now a lot more active.

The best option for you is to go through all the apps you have installed on your phone and disable location services unless they actually need this to work. You should also investigate whether you can disable location data collection via the account you use to login to the app. I suggest you go to your Google account and disable location sharing there, but this will also disable many of the location based features provided on Android by Google.

Additional Risks

A lot of apps request far too many permissions for the function they perform. See the screenshot I published in an earlier blog for a simple torch app that uses the phones LED flash to provide a torch function.

The risk here is that an app installed on your phone may activate its permission to use location services once you enable it.

Our standing advice is to only enable WiFi when you are going to use a known WiFi connection, and to equally keep Bluetooth and Location services switched off unless the app you are using requires them. However, if you are going to install the NHS Covid19 app, it needs Bluetooth and Location services switched on to work and provide protection.

We recommend that you regularly check the permissions of apps installed on your phone to determine if they have enabled something you were not initially aware of, especially if you experience excessive data/battery drain. Before you install an app, check the permissions on the app listing. If the permissions appear excessive then simply don’t install the app. Right now you need to check to see if something is using Bluetooth and/or Location services when it doesn’t need to and disable that permission.

This article is a bit dated, but does show how to disable permissions in earlier versions of Android. There are plenty of articles online to help you out for later versions of Android and iOS. You can find out what version of Android you are on by looking in the settings app under the “System / About Phone” section, normally at the end of the settings options (this may vary depending on the manufacturer and how many customisations they have put in over the stock Android experience).

One comment on the Play Store quoted that the app was not built by the NHS, but by a third party and was not official. If you go to the NHS Covid 19 Website and link from there to the relevant app store, you will get the official app. It may have been built by a third party, or one of the NHS’s contactors, but this is the official app.

There are number of reported issues with the app that should have been ironed out before it went live. All I can say is that on my Android device (that runs Android 9 and is fully updated with the latest patches), I have no problems with Bluetooth dropping out or excessive battery/data drain. The issues detected by users could be down to a bad implementation of Bluetooth on their device, a defect on the device (possibly due to age), battery optimisation being turned on or malware interfering with its operation. Sometimes a factory reset will fix these problems, but you will then have to set up your phone from scratch. If you then re-install the app that infected your device with malware, then you are back to square one.

It should be noted that in the past week we have tweeted about malware on Android devices. We are preparing a more extensive blog on mobile malware, so please look out for it in the future once we have completed our research.

The App will never tell you who you may have been in contact with, or where. This is against the privacy rules established by Google and Apple.

The app uses Apple and Google Exposure Notifications. When exposure logging is switched on, Apple or Google may send you notifications which are not managed by the NHS. You are currently not able to turn these off. Important messages from the NHS COVID-19 app will always be visible to you from inside the app. Visit: https://faq.covid19.nhs.uk/article/KA-01252/en-us for more information and the text shown you on the notification and from within the app.

There is a feature in Android where you can pin a widget to your home screen that allows to to review notifications. This is how you do it:

  • Add a widget to your home screen
  • Search for the “Settings widget” and add it to your home screen
  • In the resulting screen select “Notification Log“.

The screen shown when you tap this widget is very bad on all versions of Android I have seen. Android 11 is attempting to clean this up, but so far I have not seen it on an actual device. On Android 10 and earlier, you need to look for a line that says “android.text” or “android.bigText” (see highlights) which may show you what the notification was about.

Conclusion

The NHS England/Wales Covid19 Track & Trace app is another weapon in our armoury to help us keep this virus under some kind of control. I would urge anyone with a phone capable of running it to download and activate it and join the 5m+ users who have already downloaded it. If you start getting symptoms, then report it through the app so that anyone you may have come into contact with can be alerted to a possible infection and can self isolate.

There are security and privacy risks associated with having Bluetooth and Location services switched on all the time, but these can be managed by auditing your currently installed apps and removing permissions or de-installing the app.

The app itself is not permitted to disclose any private information or track your location. It will not give you details of who you may have come into contact with or where. This is against the Google/Apple policy. However, you need to follow the advice give in the app.

These conditions apply for any app based on this technology, which applies to all the UK based apps for Northern Ireland, Scotland, England and Wales. This will also apply to other apps produced in other countries based on this technology.

Please make sure you download the official app provided by the various UK devolved governments and not a scam app.

You can also read our other blogs on this subject below for background and concerns we have regarding this technology:

Please keep safe, and keep everyone else safe.


Headline image provided by henry perks on Unsplash

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: