key: cord-0145736-ij0ky2h8
authors: Ali, Amal Awadalla; ElFadl, Asma Hamid; Abujazar, Maha Fawzy; Aziz, Sarah; Abd-Alrazaq, Alaa; Shah, Zubair; Belhaouari, Samir Brahim; Househ, Mowafa; Alam, Tanvir
title: Contact Tracing Apps for COVID-19: Access Permission and User Adoption
date: 2021-02-06
journal: nan
DOI: nan
sha: 9a7af980ba402bfa0f8d62465b0d219dc8a4785f
doc_id: 145736
cord_uid: ij0ky2h8

Contact tracing apps are powerful software tools that can help control the spread of COVID-19. In this article, we evaluated 53 COVID-19 contact tracing apps found on the Google Play Store in terms of their usage, rating, access permission, and user privacy. For each app included in the study, we identified the country of origin, number of downloads, and access permissions to further understand the attributes and ratings of the apps. Our results show that contact tracing apps had low overall ratings and nearly 40% of the included apps were requesting dangerous access permission including access to storage, media files, and camera permissions. We also found that user adoption rates were inversely correlated to access permission requirements. To the best of our knowledge, our article summarizes the most extensive collection of contact tracing apps for COVID-19. We recommend that future contact tracing apps should be more transparent in permission requirements and should provide justification for permissions requested to preserve the app users privacy.

The global outbreak of novel coronavirus disease 2019 (COVID-19) has caused unprecedented health, social, and economic effect on mankind [1] . The COVID-19 disease, caused by novel coronavirus (SARS-CoV-2), has spread rapidly from person to person (i.e., being in close contact, through respiratory droplets from coughing, sneezing, or touching nose or eyes after touching infected objects, or other media) around the world which mainly caused severe respiratory illness to the infected person [2] . Considering the severity of this disease, The World Health Organization (WHO) declared the COVID-19 outbreak as a pandemic on March 12, 2020 [3] . As of August 07, 2020, more than 19 million people have been infected, and nearly 720000 fatalities resulted from COVID-19 [4] .

For the containment of the COVID-19, the WHO recommended people to practice simple precautions like hand washing, covering the mouth and nose by wearing appropriate masks, practicing physical distancing of one meter (three feet), and avoid large group gatherings [5] . At the same time, tremendous effort from the scientific community has been invested in discovering treatments, including antiviral drugs, and vaccines. Although no effective medications or vaccines have been discovered so far, to eradicate the COVID-19, different pharmaceutical prophylaxis and treatment such as Dexamethasone, Remdesivir, and few others are tested for their efficacy [6] . Many other attempts are underway to discover an effective vaccine, as well [7] . As of July 2020, more than 25 candidate vaccines for COVID-19 are at different phases of clinical trials [8] . In fact, the vaccine development is a lengthy, laborious, and expensive process [9] , and the whole world is waiting for an effective vaccine to come out to eradicate this disease.

With the above backdrop and the lack of effective therapeutic solutions against COVID-19, contact tracing mobile apps could be considered as a viable option to control or minimize the spread of the COVID-19. These days usage of mobile technologies has grown rapidly with the increasing usage of mobile electronic devices such as smartphones. As part of controlling the spread of COVID-19, contract tracing apps for smart mobile phones are already implemented in different countries [10] . Those apps are defined as mobile software applications that use digital contact tracing in response to the COVID-19 pandemic. These apps are already rolled out to identify people who were in close contact with other infected persons, to alert them to step away, daily updates on the census for the COVID-19 cases according to their locations, and necessary safeguarding instructions from the government [11] .

As the number of contact tracing apps is surging, it is essential to understand its usage, ratings, permission, and privacy setting to understand users' adoption. Lalmuanawma et al. summarize the contribution of artificial intelligence (AI) in combating COVID-19 [12] and mentioned a list of 36 34 contact tracing apps considering several aspects of privacy preservation for the uses. The authors also described the design paradigm, the potential vulnerability of private data, the robustness of privacy protection schemes for the apps [15] . Azad et al. analyzed 23 contact tracing apps considering their security, permission, and privacy [16] . The authors also mentioned that some contact tracing apps failed to follow proper security measures while exchanging data to and from the data centers. Table I summarizes a list of existing review articles that summarize contact tracing apps for COVID-19 from different perspectives.

But the existing review articles on COVID-19 contact tracing apps covered either too few numbers of contract tracing apps, or they considered only privacy aspects of the apps without describing other relevant aspects like ratings, downloads, and permission details. This study aims to analyze the existing COVID-19 contact tracing apps in terms of their usage, rating, access permission, and user privacy. To the best of our knowledge, this article covers the largest number of contact tracing apps for COVID-19.

To collect a list of COVID-19 contract tracing apps, we searched for apps that have been officially released by different countries. We searched for existing literature in PubMed and Google Scholar. Some contact tracing apps (e.g., Ehteraz, Covi-ID, and many others) are released into Google Play Store without corresponding research articles published; therefore, for those contact tracing apps, we also searched the Google Play Store. As of August 10, 2020, we were able to collect a list of 53 contact tracing apps from 53 countries (Table II) .

We collected the metadata for each contact tracing app from Google Play Store, such as a short description, categories, average rating, number of users who rated the app, last update version, size, number of installations, current version, required android version, access permissions, developed by, privacy policy website, and application website from Google Play Store. Supplementary Table 1 provides the details of this metadata for each app.

Google provides a list of permissions corresponding to individual apps, with a purpose to protect the privacy of the user. These permissions are divided into different subcategories. To determine the protection level of these android apps, we considered the Android permission levels [17] and mapped them to Google Play Store permissions available from the app metadata. Owing to the fact that we did not use the source codes of android apps, thus, to overcome this issue between manually gathering of permissions rather than source code analysis, we mapped the dangerous android permissions as mentioned in documentation to Google Play permissions considering that they mean same according to descriptions provided by each one. These mapping could be observed in Supplementary Table 2 .

Correlation analysis, along with statistical significance, of apps permission and corresponding ratings and normalized number of downloads considering the population size of respective countries were computed using the SPSS software.

The list of contact tracing apps mainly belonged to four categories: (a) health & fitness (n=25), (b) medical (n=22), (c) lifestyle (n=3), and (d) social (n=2) (Fig. 1) . We found only one contact tracing app MorChana, from Thailand, which was under the category of the tool. From Fig. 1 , we noticed that the lifestyle group had the highest average rating equal to 3.8, followed by the health and fitness group with an average rating equal to 3.7, then medical group with an average rating equal to 3.6, and the social group with an average rating equal to 3.5. Fig. 2 illustrates the rating of contact tracing apps and the number of downloads for the apps. We observed that the contact tracing apps in the health & fitness category have the highest number of downloads among all apps. Interestingly we found that the Aarogya Setu app developed for India had the highest number of downloads by more than 100 million users, followed by Coron App developed for Colombia having more than 10 million downloads. Corona Warn App, Hayat Eve Sigar, CUIDAR COVID-19 developed for Germany, Turkey, and Argentina respectively were downloaded by more than 5 million.

On the other hand, the lowest number of app installs was Corona 360 developed for South Korea had only 100 downloads, followed by Covi-ID developed for South Africa having 500 downloaded. CovTracer, GH Covid-19 Tracker App, Best Covid Gibraltar, and Kenya Covid-19 Tracker developed for Cyprus, Ghana, Gibraltar and Kenya, respectively had over 1000 plus downloads only. 

App permissions in Google Play Store have been categorized according to the android version. For Android 5.1 and lower, there are 16 permissions groups, while for android 6.0 and higher, there are nine permissions groups (Supplementary Table 2 ). Some permissions are not categorized in the permissions group, so we categorized them as "other" [18] . Furthermore, users who use Android 6.0 and higher can control which permission group can access device information [19] . After the user downloads an application from Google Play Store by using Android 6.0 and higher each permission group will be shown separately, and the user can control which permission can access the device information [19] . Whereas in Android 5.1 and lower, a list of permissions groups are shown before downloading the application, and the user can accept all the permissions groups and download the app or decline it and the app will not be downloaded [18] . From the pool of 53 contact tracing apps, we found that 27 apps are suitable for Android version 5.0 and higher (Fig. 3) . Fig. 1 . Y-axis represents the apps' average rating, and the X-axis represents the normalized number of downloads. As the number of populations differs from country to country, we divided the number of actual downloads by the total population to normalize the value in X-axis. Fig. 4 summarizes the access permission requested by the 53 contact tracings apps. As shown in Fig. 4 , all contact tracing apps require full network access permission. Most apps require access to view network connection (n=52) and prevent devices from sleep (n=46). About three-quarters of apps require access to run at startup (n=40) and pair with Bluetooth devices (n=40). Approximately 71.1% of apps require access to the location (n=38) and receive data from the internet (n=38). Nearly half of the apps require Bluetooth access (n=28). More than 30% contact tracing apps require access to storage (n=20), photo/media/file (n=20) and camera (n=16).

The least frequently access permissions were control vibration (n=14), Wi-Fi connection information (n=13), device and app history (n=7), phone (n=6), device ID and call information (n=4), draw over other apps (n=4), Google Play license check (n=4), contacts (n=3), change network connectivity (n=3), connect and disconnect from Wi-Fi (n=3), read Google service configuration (n=3), microphone (n=2), create accounts and set passwords (n=2), read sync settings (n=2), toggle sync on and off (n=2). Only 1.9% of apps require to access change your audio settings (n=1), disable your screen lock (n=1), send sticky broadcast (n=1), set an alarm (n=1), control flashlight (n=1), uninstall shortcuts (n=1), install shortcuts (n=1), and calendar (n=1). 

Dangerous permissions are referred to as accesses made by apps to use data and resources that are private, store data in devices or operations related to other apps [20] . For example, the ability to read the user's contacts is dangerous permission as the app tries to get control over the private data. These dangerous permissions withhold great importance as they could lead to potential privacy-data breaches [21] . Table III shows the percentage of potentially dangerous permission requests [17] made by contact tracing apps. For the purpose of COVID-19 contact tracing, the location permission is of great importance as the app could alert a user when he/she is in close contact with an infected person. But more than 30% of contact tracing apps require read/write access to USB storage and multimedia (photo/media/file), which may raise a great concern for the app users. 

Correlation between the app's permission and corresponding rating and downloads were computed (Table  4) . From Table IV , we can observe that both ratings and downloads were inversely related to the dangerous permissions like location, storage, photos/media/files. The contact tracing apps with dangerous permission, storage had lower downloads (correlation: -0.18; p-value:0.11). The number of downloads is lower for the apps having photos/media/files permission (correlation: -0.18; pvalue:0.11). A similar trend was observed for the apps requiring wi-fi connection information (correlation: -0.10; pvalue:0.24), though the correlation was not statistically significant. IV. DISCUSSIONS This article aimed to provide an overview of the COVID-19 contact tracing apps, including the permissions mentioned in the Google Play Store for the corresponding apps. Based on our analysis, we found that the average ratings for the contact tracing apps are not very high. The highest average rating for contact tracing apps was 3.8; this indicates the existence of avenues that need to be addressed by the developers and policymakers to improve the user adoption and rating for the apps. Most of the contact tracing apps were supporting Android version 5.0 and above. If the apps were compatible with the older version of Android as well, then we could expect more downloads as some of the Android users may not update their system for a long time.

The Number of downloads was varying for the contact tracing apps from country to country. On the higher side, we noticed 5-100 million downloads, and on the lower end, we observed only a few hundred downloads. Additionally, smartphone penetration is low in lower-to-middle income countries (e.g., Bangladesh, India, Pakistan), which may disenfranchise a certain group of population in lower-tomiddle income countries. For the containment of COVID-19, successful outreach for contact tracing apps is mandatory; otherwise, a certain group of the population might be left without the app, causing a different rate of infection. So, we would recommend investigating the driving force for the installation of contact tracing apps across different countries.

Interestingly, some contact tracing apps were requiring access to set the alarm, flashlight, set shortcut which was entirely unnecessary for contact tracing. Also, apps that require access to photos/media/files can read sensitive log data, web bookmarks, and history or retrieve internal system state and running apps [18] , [22] . As a result, an inverse relationship between the dangerous access permission of the apps and user adoption (number of downloads and rating) was observed.

Privacy and mobile health are interconnected because the information is shared and accessed using different means. Tracing apps may obtain personal information of people such as location, phones, camera, microphone, contacts, storage, and many others, which may lead to the breach of privacy. Thus, security and privacy policies should be explained clearly for all the apps in a simple language for users. Relevantly, Amnesty International UK pointed out seven principles at the plan of the UK Government's decision to roll-out a contacting-tracing app [23] . Therefore, governments should focus on contact tracing apps that are privacy-preserving following an acceptable guideline [23] , and that would gain the confidence of the citizens. Overriding the consent and privacy of people for the sake of COVID-19 surveillance may raise the distrust in its population and, ultimately, lead to poorer health outcomes in this COVID-19 pandemic.

In this article, we have summarized 53 contact tracing apps developed to combat COVID-19 highlighting their ratings, user adoption, and access permissions. Some countries declared the ordinance for the usage of contact tracing apps as mandatory (e.g., China, Qatar), while other countries kept it as optional. Mandatory usage of apps may raise the eyebrow in the community considering the surveillance and privacy issues [24] . On the other hand, optin contact tracing initiatives require a lot of motivation and public awareness for the users. We believe our study will provide the governments, policymakers, and apps development industry an overall picture of the usage, ratings, and privacy aspects of these contact tracing apps. Further investigation on these features will enable us to develop a secure and privacy-preserving user-friendly contact tracing app for the containment of COVID-19. We only considered contact tracking apps from Google Play Store. In future, we will extend the list of contact tracing apps as well as include apps from the Apple App Store.

Supplementary files for this article are accessible in github: https://github.com/tanviralambd/ContactTracing.

COVID-19: what is next for public health?

Contact tracing in the context of COVID-19: interim guidance

On the responsible use of digital data to tackle the COVID-19 pandemic

An interactive web-based dashboard to track COVID-19 in real time

Advice for the public on COVID-19 -World Health Organization

COVID-19Base: A knowledgebase to explore biomedical entities related to COVID-19

Draft landscape of COVID-19 candidate vaccines

Developing Covid-19 Vaccines at Pandemic Speed

Smartphone breast applications -What's the evidence? The Breast

COVID-19 apps

Applications of machine learning and artificial intelligence for Covid-19 (SARS-CoV-2) pandemic: A review

Global Deployment Mappings and Challenges of Contact-tracing Apps for COVID-19

A Survey of COVID-19 Contact Tracing Apps

Vetting Security And Privacy Of Global COVID-19 Contact Tracing Applications

A First Look at Contact Tracing Apps

Manifest.permission. Developer Android

Review app permissions on Android 5.1 & lower

Control your app permissions on Android 6.0 & up

Permissions overview. Android Developers

Protecting contacts against privacy leaks in smartphones

The epidemiological characteristics of 2019 novel coronavirus diseases (COVID-19

7 principles that should be guiding roll-out of any COVID-19 contacting-tracing app