The App Tracker That Got Us Into DEFCON 2020

Approach

TLDR;

What’s the deal?

You might have missed it but currently, at the time I am writing this, we are in a pandemic. Crazy! I never thought I’d live through something like this but here we are. But with this pandemic, my close family members (the more tech-savvy ones at least) have noticed an explosion of COVID19 applications that are meant to trace the spread of COVID19, at least on the surface. Enter this project.

We call this project our COVID19 App Tracker. In general, our app scrapes the Google Play store for any COVID19 apps that are “Contact Tracing”, “Symptom Tracking”, or “Informational”. Once we scrape the Google Play store, we organize the data as a JSON file and update our GitHub repository and an automated Google Sheet that can be accessed by anyone. As the data gets updated on GitHub, we then render the updated list on a GitHub Page. Each app that gets scraped also has corresponding information on its own app profile page that displays information such as the developer name, the origin country, and all the permissions that the app requires.

The goal of this project is to gather all of these apps in one place so that other institutions might be able to look more into the developers and the inner workings of each app. There have been numerous articles that have come out that have identified problematic practices of some applications and some that violate their own policies!

The Team

Remember those “tech-savvy” family members? They were also my team members in this project. We are all very involved in the tech space and have very technical skills.

Since we had four members we decided that someone needed to be a project manager of sorts, to organize and maintain order as the project went along. We then needed someone that could create mockups and designs that were created with the mindset of responsive implementation. And the last two individuals split the front and back-end development that would come up with how we would scrape data from Google Play and add/update apps as they appeared on Google Play.

Takeaways

Learning New Tools

The nice thing about projects is that you get to learn new things. My favorite thing I learned was using React.js. Am I an expert in it? No! But it was great to get an opportunity to utilize React with a CSS framework TailwindCSS (way better than Bootstrap, IMHO). Though there was some stumbling along the way, we were able to get something up in a very short amount of time due to the frameworks we were using, which let us get our app in front of people for feedback.

Getting Relevant Feedback

At the start of this project, we all wanted to make sure that the thing we were creating was useful and giving people valuable information. To help us with this whenever we sent friends and family members the project, we also sent them a Google Form so we could collect all the feedback in one place. This helped us think about the information that was more important to visitors, like being able to sort the apps by country on the home page.

DEFCON 2020 Invitation

Once we got enough feedback and implemented several changes, we decided to widen the scope to our professional networks, mainly trying to suss out if journalists might find what we had useful in identifying risky apps for further research. We eventually got in contact with a journalist in cybersecurity that recommended that we apply to speak at DEFCON 2020 (a very well-known cyber hacking conference that usually takes place in Las Vegas). After talking it over with the team, we eventually applied and heard back within two weeks that we had been accepted.

Here is the talk we gave at DEFCON 2020.

After DEFCON 2020

Since that talk, we have gotten a ton of helpful replies for apps that our database missed, several news organizations, and researchers that want to talk about the project and how they might be able to utilize it. It’s been a little overwhelming since the circumstances of the pandemic seem to be changing almost every day. But I’m very excited for the future of this project where we plan on implementing a “scoring” system that codifies the permissions thus determining their level of risk to potential users. We even got contacted by CNET’s cybersecurity team for an article.

We are trying to stay away from being black and white about this subject matter because, for contact tracing to work, certain permissions need to be made. That’s why having some sort of rating system would present journalists or researchers with a sort of rubric when looking into a particular application.