While the launch of the Ghana Covid Tracker App comes from a good place, (and if there’s one person in the government I’m a fan of its the Vice President) there are a few matters which my colleague Bright Simons talked about. Like reported communication always goes, it has suddenly become fodder for all sorts of name-calling. Funnily, if there’s anything we both have expertise in, it’s enterprise software 😉.
Now let’s get to the issues:
1. Apple and Google together run possibly about 99% of all working smartphones. They decided to add to their operating systems trackers for covid-19 to ensure that contact tracing is done the right way.
2. They have suspended approval of any such apps further to a specific review of ownership by governments. The reason is simple: we are in a pandemic and while there might be very enthusiastic app developers trying to showcase their willingness to help, contact tracing is very serious business.
You don’t want sensitive personal information harvested and sent to wrong hands. Even with governments, especially those with autocratic tendencies, this becomes a very great opportunity to harvest private data from citizens unwittingly to further monitor and terrorize them.
3. By leveraging on their operating systems, the implementation of Apple and Google’s platforms are phased two-fold, one is an app, which will of course have lesser adoption, while the second phase in May is a set of APIs that interact directly with the operating system.
This will mean that the systems will run by themselves and governments can then align contract tracing data through people’s proximity with each other using Bluetooth as the main proximity benchmark. This is appropriate because the virus is transmitted typically within Bluetooth space.
4. Ghana does not, and should not be left out in the narrative as being ahead of the curve in Africa, and we are all proud of that. In fact, Ghanaian innovators are well celebrated across the continent.
Where the problem is, is the willingness to sidestep a few best practices in order to be “seen” as it were:
A. It is not sound practice to direct people to a website outside an app store ecosystem to download apps for your personal devices like phones, especially when it is taking aspects of your privacy like location data, access to Bluetooth, your basic information and even possible covid-19 status summary. It is recipe for information theft.
B. There is a huge risk of phishing. Even with MTN MoMo, people get defrauded everyday. Scammers are open to use this system to scam people. All they need to do is create a web link very similar to the Ghana one, and put in a mirror of this apk file with a backdoor that mines all your personal information.
Bullshit, you may say, but this is why: while you are installing the app, you will be asked to change your security settings to allow installation from other untrusted sources. Many of you will not take time to look at the signature or certificate of the app and the checksum to see if it’s the same as the original apk before installation. So if there is a phished sure, bam! You are in!
C. A lot of foot soldiers, as usual, have fallen for the third aspect by sharing the link. This sharing gives it credibility and believability. The simplicity of the app, and the fact thst it will prey on most people’s laxn of appreciation of technology means that if I was committed, by m6am tomorrow me and a few mischievous friends will have used a phished site and version to infiltrate the space and deceive people.
D. A lot of the sharing will be done via third parties: whatsapp groups, Facebook groups, Twitter links, etc. Very few people have antiphishing and Anti-Malware apps on your phones, so you will allow that Trojan horse in without knowing.
E. Should there be a bug, requiring a new version of the app, automatic downloads will also not be trusted and handled securely. They will come as and when and clicking yes could either mean you are signing your digital ID away or not.
F. By sidestepping the Play Store, all chances to vet the app and its suitability in terms of security, quality and a few other standardization measures are lost. It will not be part of the Google Apps framework and therefore you are on your own if anything happens.
G. What is being done is akin to saying that you are a musician, with a record company, but then you want to release a song you think is a hit song on your own only because the record company will arrange the beats perfectly but you are more interested in leaking the bootleg version of your song before the record company does it. No pun intended on the launch being a music concert. Bawumeezy should have dropped some bars!
H. Note also, that the very nature of the app will, and I’m sure by this time, a lot of people will have put in misleading information that will even serve to trigger the much feared phrase “fear and panic” because of the number of false positives it will provide, but that’s another issue. There is no OTP validation, no 2 factor validation and not even a CAPTHA test to show that the information is being entered by a human or by a bot. That should have been a Cardinal marker of security and data integrity but is non-existent.
I personally met a friend who had developed something similar about 3 weeks ago and I told him that the government has probably already had a team working on it.
So folks, go ahead and download the APK from a website whose URL you can’t immediately recognize clearly. It’s your choice.
The question remains though, that the most prudent thing would have been to have it in the various Ecosystems of the app stores. That way any data breaches and violations would be proactively managed within the boundaries of best practice.
Seeing that next week is when the 2 global giants will outdoor their app, with perhaps the best type of knowledge and infrastructure at their disposal, it would possibly have been more prudent to have waited for them on this one.
And those in authority, who want order and discipline in these extraordinary times should have seen to that.
Anyway, let’s get the conversation going on. Ghana should win.