Technical Analysis of All European Contact Tracing Apps (COVID-19)

#security

This is an ongoing article. It is intended to serve as reference for researchers and may be subject to modifications.

TL;DR: If you're looking for the Google Sheets file containing all the European API endpoints, it's on this link.

As the COVID-19 global pandemic worsened, different countries began looking for ways to trace the spread of the infection in an effort to cut the transmission as soon as it was detected.

The result of this effort were Contact Tracing Apps, simple yet effective applications that broadcast and listen to specially crafted Bluetooth Low Energy (BLE) beacons to determine whether a person has been in close contact and for how low with someone infected.

Without a doubt, the universal specification for exchanging this BLE messages has been and still is GAEN (Google/Apple Exposure Notification), yet each country or region chooses a different approach for all the other aspects of the app, such as notifying COVID-19 positives and verifying exposures.

And so, here we are now. Almost every country in Europe has its own Contact Tracing App with its own respective backend servers that have their own different implementation and that, in the majority of cases, are not compatible with one another.

The purpose of this brief article is to put together all the technical information I've been collecting about these apps and to serve as documentation for other researchers.

App classification

At the time of writing, there are 21 European countries using Contact Tracing Apps (CTAs) in production.

They can be classified mainly by the license of their source code and the backend implementation they are using.

By source code license

Although the vast majority of CTAs are open-source, there are 3 (dis)honorable mentions of countries with no intention in publicly releasing the source code of their apps:

VirusRadar (Hungary): Not only is closed source, but it is also centralized and requires users to register with a phone number and other identification details to start using it.
Korona Stop LT (Lithuania): The latest app of this kind to have been released in Europe. It is based on Corona-Warn-App (provided under the Apache-2.0 License), so maybe they intent to release the source code soon, who knows.
Smittestop (Denmark): Built on Xamarin, is more difficult to decompile than other apps and also requires user registration.

By backend implementation

Most apps have their own implementation for their backend servers. Of the ones that are based on a common specification or library, DP-3T and CWA have an almost equal market share.

DP-3T (short for Decentralized Privacy-Preserving Proximity Tracing) is developed mainly by the EPFL in Switzerland and has also had great influence in the GAEN protocol.
Apart from the one from its home country, the CTAs from Estonia, Malta, Portugal and Spain use this implementation too.

CWA gets its name from the German CTA (Corona-Warn-App). The source code of the entire infrastructure of this app is available on GitHub, as is the case with DP-3T. Belgium, Germany, Lithuania and Slovenia have chosen this implementation.

Despite not being an actual open-source implementation as with the previous cases, some Eastern countries use S3 buckets to host their TEKs (Temporary Exposure Keys) for app clients to download them.
These countries are Czechia, Latvia and Poland.

Other implementations

In the "other" category, it's worth mentioning the apps from Ireland and France (COVID Tracker and TousAntiCovid, respectively).

COVID Tracker is based on the COVID Green project from the LFPH (Linux Foundation Public Health). It does not require user registration, but enforced OAuth Bearer authentication in all requests to the backend.

TousAntiCovid (previously known as StopCovid) is based on ROBust and privacy-presERving proximity Tracing or ROBERT for short because the French Government cannot help itself when naming things using fake acronyms.
This is one of the most concering Contact Tracing implementations, as it is fully centralized (the server is the one that verifies exposures, not the clients) and it even enforces user registration.

Conclusions

Although there is clearly fragmentation in the European Contact Tracing App ecosystem, it is not that big of a deal as all countries except from France and Hungary have taken a decentralized approach that works by hosting TEK batches in their backends and letting clients download them to verify exposures.

As these TEKs are in the GAEN protocol format, it means all decentralized apps should hypothetically be able to exchange their batches. This looks like the next reasonable step forward and hopefully it becomes a reality with the EU Federation Gateway Service initiative that some CTAs are already using.