First look: NHS COVID-19 tracing app put to the test

May 6, 2020 | Mobile, Regulation, UK

First look: NHS COVID-19 tracing app put to the test
The UK is currently testing its COVID-19 tracing app on the Isle of Wight, a vital tool to help stem the spread of the virus. But is it effective? Does it stay on in the background? Does it stop false reporting? Technology and message recovery service Reincubate were able to get an early view into the app ahead of it going live in the UK.

The app is currently in a trial phase and is only available to residents on the Isle of Wight, who have received a leaflet containing a link that will trigger a download. Eventually, the app will be available to anyone to download directly from the UK versions of Apple’s App Store and the Google Play Store.

How it works

When a user installs it, they are asked to enter the first four characters of their postcode, and set up app permissions. The app needs permission to use Bluetooth Low Energy to determine when it is near another phone using the app, keeping Bluetooth on at all times. Next, the user needs to approve push notifications so the app can alert them if they have been near someone with symptoms of the virus.

Once set up, a home screen offers the current advice on stopping the spread of the virus and asks a question: “How are you feeling today?”.

The following diagram shows how the app works and interacts with other users:

After testing the app, Reincubate have put together quick explainer as to what they expect the app will do in terms of working in the background and whether it will still capture data

Here is what they found by digging into the options available for contact tracing apps built without recourse to Apple’s iOS 13.5 frameworks.

  • The NHS COVID-19 app appears to work correctly when running in the background on iOS devices, unlike the Australian COVIDSafe app
  • The app prevents false reports by providing users with symptoms with a reference code: that code is then associated with formal test results before action is taken
  • NHS COVID-19 instructs healthcare workers to turn off Bluetooth on their device whilst wearing PPE, explaining “your interactions at work should not be captured when you are wearing PPE”.

Challenges in contact tracing when an app isn’t shown on screen

App developers have few options when it comes to keeping apps “alive” when they’re not up front and centre on a user’s device. Apple carefully manages these options to ensure that apps don’t invade user privacy, or unduly run down user batteries. In particular, they draw a distinction as to whether an app has *focus* — ie. it’s shown on the screen — or is running in the background. Recent updates to iOS have [limited the ability developers have] to access data whilst backgrounded: for instance, prior to being able to limit background collection so effectively, Uber was able to track a user’s movements even when not in a cab.

In order to run in a meaningful sense in the background, an app’s publisher needs to get permission from Apple when it is submitted to the App Store, by marking it with a set of “Background Modes”. These background modes are limited for use when transmitting video from one device to another, when collecting location updates, acting as a phone, or using Bluetooth. For instance, these modes are what let your phone run AirPlay in the background, play music without Spotify always showing, call someone with WhatsApp and then put it in the background, or track your run on Strava.

* The NHS COVID-19 app– view from Reincubate iPhone Backup Extractor

These modes are limited, however, and users may be familiar with the iPhone notifications asking if apps should be allowed to access your location in the background. Even when a user grants these permissions, the phone may continue to request confirmation that this is the right thing to do.

Contact tracing apps are built using Bluetooth low-energy (BLE), which — simply put — allows devices to recognise each other. Theoretically, Apple’s “Uses Bluetooth LE accessories” and “Acts as a Bluetooth LE accessory” modes are ideal for this, and allow use of BLE in the background. However, whilst a backgrounded app using these modes will be able to continue to communicate with any BLE devices it’s already in communication with (such as a Bluetooth smart-lock), it won’t be able to control the rate of broadcast to poll devices that it hasn’t seen before. When backgrounded, this makes it harder to look for signs of new devices, to communicate with them meaningfully, and in particular to identify non-Apple devices. This rather hampers contact tracing apps that must run continuously in the background.

To quote Apple’s documentation on the service:

“All service UUIDs […] can be discovered only by an iOS device that is explicitly scanning for them. […and for] apps that are advertising are in the background, the frequency at which your peripheral device sends advertising packets may decrease.”

Workarounds and alternative approaches for tracing

Of course, this isn’t a new challenge for developers: they’ve long been trying to find methods for apps to stay backgrounded and collect restrictions tracing data.  Frameworks such as the open source AltBeacons have emerged to tackle this, aren’t viable for contact tracing where a device must continuously be looking for new devices. As ABC found in Australia, when looking at their national COVIDSafe app, there’s not been a practical solution to this. A few exploits exist that might be temporarily useful — such as registering one’s app as an audio player and making it play music — but these and other exploits of this nature are frowned on by Apple, stand to inconvenience users, and rarely pass approval to the App Store.

In the meantime, Apple has been preparing to release iOS 13.5, which is currently available in beta. Apple are able to make changes to *their own* system that are advantageous to tracking in this way. 13.5 will introduce a number of more obvious features — such as support for FaceID for users wearing a mask, or at least a more rapid route to entering a passcode — and some less obvious features, such as the “ExposureNotification” framework which enables just what the contact tracing apps need. This won’t result in the perfect system, of course: not every user will be able to take advantage of this, as devices like the iPhone 6 (2015) aren’t able to run iOS 13. Whilst Apple’s system uses a global standard identifier, each country that implements it uses a siloed national database. Thus if an infected European from one country is exposed to a citizen from another European country, they won’t discover it through contact tracing.

Apple’s COVID-19 `ExposureNotification` provides a solution for what’s needed here, but there are caveats. Most significantly, Apple has indicated that only their app will be able to make use of it in order to prevent misuse of the technology by others.

So how do the NHS do it with their COVID-19 app?

How then, can the British NHS COVID-19 effectively trace new devices whilst backgrounded, without “falling asleep” (technically, “being suspended”) and thus being rendered ineffective? From our testing with version `1.0.1b341` of “NHS COVID-19” app, we can see does indeed communicate effectively in the background. It appears that this is done through use of a series of clever workarounds using keepalives and notifications.

Force quitting the app will stop background tracing, however, if instead the phone is powered off and back on, it will continue to communicate properly in the background. This workaround may or may not fall foul of Apple, but at this point it hasn’t been disclosed, and Apple have approved the builds of the app they’ve seen so far.

We’re continuing to look into this and will be publishing more detail as things develop.

Does the NHS COVID-19 app store sensitive data?

No. The app seems very well put together, using sensible security practises, and without storage of unnecessary data. It revolves around a `linkingId` that gets generated for each install of the app. This ID persists across install of the app, so uninstalling and reinstalling it won’t reset the identifier.

Looking at data from the app using Reincubate’s iPhone Backup Extractor under the `uk.nhs.nhsx.sonar` path, we can see there are a series of files coupled to Google Firebase and a collection of small Plists (configuration files) for the rest of the app’s data.

*Looking at the NHS COVID-19 app’s files in a backup

Can users falsely self-report that they have COVID-19?

If a user reports symptoms, the app provides a number to call to arrange a test, along with a reference code. The idea is that the test result is then associated with the user’s reference code. Were a user to falsely report symptoms, confirmation would not happen without the NHS updating the test result to match the user’s code.

Does the app request location permissions?

No, it does not.

Did the NHS mislead the public about using Google APIs?

No. The NHS COVID-19 app is deeply integrated with Google’s industry-standard Firebase API for data storage and management. (The NHS is not using Google or Apple’s contact tracing framework; aside from anything else, this will not be available until the release of iOS 13.5.)

Which services does the app communicate with?

As with the Android app, all material communication is run through to the NHS’ COVID19 API, hosted under `*.covid19.nhs.uk`. The app makes a few other requests as a consequence of using Microsoft’s AppCenter service, but none that are material or sensitive.

If NHS workers use the app, won’t it lead to false positives?

The app prompts healthcare workers to disable Bluetooth on their devices whilst wearing PPE, stating “your interactions at work should not be captured when you are wearing personal protective equipment”.

Reincubate is continuing to look into this and will be publishing more detail as things develop.

Aidan Fitzpatrick, Founder & CEO at Reincubate comments “We’ve been pleased to take a deeper dive into the NHS’s COVID-19 app. Whilst there’s been a lot of speculation around its functionality, what we’ve seen is a well-built and secure app. The background tracing appears to work, although it remains very much in Apple’s control as to whether this will continue to be effective. As a consequence, the effectiveness of the British response to COVID-19 is now also in Apple’s control.

The choice to go it alone or use Apple’s framework will have been a challenging one. Following Apple’s lead would likely have been a less controversial choice. However, iOS 13.5 is not live yet, whereas the British app ships tomorrow, and there’s nothing to stop the UK moving to follow Apple in subsequent updates. Seen through that lens – why not ship a trial in the Isle of Wight first?”

You can view their full analysis of the app here.

About Reincubate 

Reincubate helps consumers and businesses get more from their Apple devices and data.iPhone Backup Extractor and Reincubate’s APIs allow users to examine data managed by Apple and many third-party apps (including Google, Facebook and Microsoft). Trustpilot users have placed Reincubate in the UK’s top 20 most loved software companies, rating its software a near-perfect 9.5 out of 10.

Share This