The NHS has kept its promise to share the source code for the UK contact tracking app and to put both the code and documentation on Github. This allows security researchers to examine the code to determine exactly how it works, check for errors, and try to solve a puzzle.
Developers will be happy to understand how the app appears to work in the background in a way that shouldn’t be possible.
The iOS app should not be able to send Bluetooth codes while it is running in the background. Just receive them. This would mean that two iPhone users could sit side by side with other apps and no phone would register the contact.
However, the NHS claimed it had found a way to work around this limitation, and early testing suggests that this is largely the case. reports the BBC. It could successfully run in the background for at least 90 minutes, sometimes longer.
NHSX had said it had found its own solution. Preliminary tests by a cyber security company indicate that this has been successful.
Pen Test Partners installed the app on a handful of jailbroken iPhones – modified so they could monitor activities that are normally hidden from users.
‘When the phones are placed near each other for the first time, they will’ beacon ‘via Bluetooth every eight or 16 seconds,’ said co-founder Ken Munro. “Others had expressed concerns that the app is not effective in the background.
‘Our tests have shown that this does not appear to affect beaconing regardless of whether the phones first encountered one another or were subsequently physically removed and then brought back into range.’
A second company, Reincubate, found that the app sometimes went ‘silent’ if it ran in the background for more than 90 minutes without interference, but suggested that this shouldn’t be too much of a problem under real conditions.
‘A number of sensible factors can cause this window to expand, including other uses of Bluetooth, the presence of Android devices, and the effectiveness of notifications [asking the user to reopen the app],’ he blogged.
‘In our tests, the iOS devices on which we run the app continued to run the background service overnight.’
The first launch of the Coronavirus app in the test area was also promising. The NHS reported around 40,000 installations with 141,000 residents. This corresponds to a turnover of 28% – far below the minimum value of 60% that epidemiologists need for a meaningful contribution, but still extremely impressive for the first day. The population of the Isle of Wight is a significantly older demographic than that of the United Kingdom as a whole, which questions the stereotypes of older people and technologies, but may also reflect the greater compliance of older people with government requirements.
Many are still asking the UK government to adopt the Apple / Google API when the app is rolled out across the country, and there are signs that the government is now seriously considering this.
It has been reported that the NHS has commissioned a feasibility study to make the switch, and the Guardian reports that the government appears to be influenced by calls from technical experts, human rights groups and politicians to introduce the more private API.
After repeated warnings that Britain will be an outlier if it insists on using its own centralized app instead of relying on Google and Apple technology, rights groups and MPs said on Thursday that the lack of privacy and data protection means Could the app be illegal? […]
A source told the Guardian that Downing Street is now skeptical about healthcare decisions to build a separate app […]
Matthew Gould, head of NHSX, told a parliamentary committee that the decision to build the app without the involvement of California companies was not set in stone. “When it becomes clear that a different approach is better and achieves the things we need to do more effectively, we will change. We are not particularly tied to a single approach. It is a very pragmatic decision about which approach is likely to deliver the results we need.
“If we want to take a different approach, we may need to do some heavy engineering work to do that. But I want to assure you that just because we have taken a route does not mean that we are bound by it. ‘
I suspect many people will be interested in examining the source code!