Towards a Threat Model and Security Analysis for Contact Tracing Applications

Abstract

Pandemics have caused millions of infections and hundreds of thousands of deaths in recent years. To combat the spread of infection, researchers have explored contact tracing via smartphones. In contact tracing, the smartphones of the users exchange information with nearby smartphones via Bluetooth. If it is needed to explore the list of people someone has come into contact with, the contact tracing logs can be used to identify such people. However, such contact tracing apps have many security and privacy concerns. In this paper, we discuss the security and privacy issues of Contract Tracing Applications and analyze the threat model of such applications using the STRIDE model. We also use the model to assess the vulnerabilities in eight actual contact tracing apps from different regions.