Emmanuel Gadasu writes: security analysis of the GH COVID-19 tracker app

    The launch of the GH COVID19 Tracker app by the Government of Ghana has been met with many reactions from Ghanaians. Diverse views have been presented and the various social media platforms have been buzzing with GH COVID19 Tracker app issues.

    Whiles a section of Ghanaians sees the app as needless and useless, others see this as a tool by the government to track people needlessly. Another section also commends the government for its efforts. But as professionals, we need to present our views within the remits of our profession to make users appreciate and form their own judgment.

    Technically, the intention of an app can truly be determined by the developer because so many things are hidden from the user. The intention as detailed by the developer may be a deception in totality or some aspect hidden from the user. The intention can be genuine or malicious. 

    Again, the storage and access to the collected data are mostly hidden from the user and it is through complex technical analysis such as decompiling the APK or the app that can lead professionals to know or infer the intentions. 

    As a security and privacy professional, I decided to take a look at the app and pass my professional comment. I have read the terms and conditions from http://ghcovid19.com/installation_guide.pdf and as professional ethics demand, I did not decompile the APK but rather took the details of the installed app as shown below to do my analysis. 

    From the above figure, it means by design, the GH COVID19 Tracker app can have access to the following on your device: Calendar, Camera, Contacts, Location, Microphone, Phone, and Storage. 

    This means that the developers have designed the app so that it can HAVE ACCESS to the above resources on your mobile device. However, if the access is disabled, then it means that the app does not have access to that resource and therefore cannot use or manipulate it. 

    [This is debatable as some apps can covertly have access to some resources even though they do not have explicit access]

    So, it can be technically concluded that the GH COVID19 Tracker app has been designed to have access to the resources listed above as shown in the above image. The access can be ALLOWED or DENIED by the user.


    On Android, there are two basic types of permissions:

    1. Normal permissions, that is, permissions that don’t pose much risk to the user’s privacy or the device’s operation. For example, access to the Internet.
    2. Dangerous permissions, that is, permissions that could potentially affect the user’s privacy or the device’s normal operation. For example, access to your location. This can be used to track your whereabouts and can infringe your right to privacy.

    Now, what are the implications of granting permissions to these resources:

    Calendar: The GH COVID19 Tracker app can have access to your Calendar schedules if granted the access and manipulate it.

    Camera: The app can have access to your Camera. It can take pictures if granted the permission covertly without the user’s knowledge.

    Contacts: The GH COVID19 Tracker app will have access to your contacts if granted the permission. It can manipulate your contacts on your phone. 

    Location: The app will have access to your location, GPS coordinates if granted the access leading to you being tracked by location

    Microphone: The GH COVID19 Tracker app can record voice via the microphone or receive and process voice via the microphone when granted the permission.

    Phone: The app can be used to make calls directly through the app if granted the permission to access the Phone.

    Storage: The app can use and manipulate your storage; internal or external when granted the permission

    Hence technically, the GH COVID19 Tracker app has been designed to have dangerous permissions once installed.

    The access to permissions that could potentially affect the user’s privacy or the device’s normal operation per se MAY NOT be an issue when handled professionally with the user being made aware of the process of collection, processing, storage, and dissemination of their data. 

    With the stated objective to track, it is technically impossible if the user’s location is not collected. The permission to the Contact may be relevant in complex algorithm to help in the contact tracing efforts by the government. 

    However, will access to Calendar, Camera, Microphone, Phone, and Storage be necessary? What is the intention? 

    GH COVID19 Tracker App Terms and Conditions

    How it Works

    When you start using GH COVID-19 Tracker App as a User, the App will collect certain health-related information about you, and other general information such as your name, phone number, gender, age, sex, risk factors, the region in which you live, or information about your existing health conditions, which may be helpful for the Government of GHana (GoG) to correctly provide you with any required help and advice.

    Whilst using this App as a User, you will allow the “GH COVID-19 Tracker” App to use your data but note that this data will only be used for the intended purpose. GoG may use the mobile number provided by you to contact you in case of possible infection. Any personal information provided by you may also be shared with other necessary and relevant persons (if required) in order to carry out necessary administrative and medical interventions. 

    Source: http://ghcovid19.com/installation_guide.pdf  


    The following are some few concerns I think we need to take a look at:

    1. The personal and health data provided by a user to the GH COVID-19 Tracker may be helpful for the GoG to correctly provide you with any required help and advice. How the GoG will do this, is beyond the ordinary user. There is a lot of backends or behind the scene processing that can be deployed to achieve the GoG’s objectives. Will the government and its related partners use the data collected as indicated?

    2. The app is not deployed on Playstore or AppStore. These platforms screen apps for some basic and advanced security measures before they are hosted. They sweep and remove apps that do not comply with their security policies. Although it is possible for apps not hosted on these platforms to be installed on your mobile device, Google and Apple do not encourage that and therefore are not responsible for any security issue that emerges after a user installs such apps. As of the time of this write-up, the very website where this app can be downloaded from is not secured. No SSL protection. This is a basic requirement and does not really cost much to implement. http://ghcovid19.com 

    3. The Data Protection Act, Act 843 mandates every entity that collects, processes, stores, or disseminates Ghanaian citizen’s personal data must be registered with the Ghana Data Protection Commission. Are the companies involved, iQuent Technologies and Ascend Digital Technologies, duly registered with the GDPC and hence can be trusted to handle thousands of Ghanaians personal data?

    My search conducted on the GDPC’s website shows none of these companies are registered as Data Processors. https://registration.dataprotection.org.gh/search_register.php 

    Written by Emmanuel K. Gadasu

    [Information Security and Data Protection Practitioner] CEH, CHFI, MSc Information Security.
    Phone/WhatsApp: +233-24 391 3077

    Follow on LinkedIn, Facebook and Twitter @wahehejnr

    Edited by Rex Krampa


    Please enter your comment!
    Please enter your name here