Immune was released in the Italian store for iOS and Android by little more than a week but we can already draw the first conclusions. We find some of the technical details along with Alberto Zannol, TO of Mobisec Italian company specialized in mobile security.
After reaching more than interesting numbers of downloads in the first days, the app Immune is active at the experimental level in 4 regions of the test (Puglia, Abruzzo, Marche and Liguria), but is installed and running already on 2.2 million devices Italian, both iOS and Android.
Already during the lockdown, we began to discuss how much app related to contact tracing may be effective in the containment of an epidemic characterized by a high level of contagiousness as the COVID-19. Apple and Google have agreed to implement in their operating systems a number of useful tools to the developers to release in a short time their proposals are useful for this purpose. The main feature of the solution proposed by the two giants of the technological american is based on the model of “decentralized”: all contact information are managed and processed on the user’s device, to ensure the privacy.
The Italian Government has then chosen to entrust Bending Spoons the development of their own app, contact tracing, call “Immune” and the gestation period is about a month. Let’s try to understand together with the manager of the main company linked to cyber security mobile Italian, Mobisec, which is the overall quality of the Immune with some aspects of the “behind the scenes”.
The App Store was launched in 2008. After 12 years this is the first time that an app becomes the centre of a mechanism of preventive health care at the national level and -hopefully – intra-european. This gives a good idea of how much they have become important in our digital lives. Mobisec is focused on a niche, very specific of this market: would you please tell us a little bit about what you are dealing with?
Mobisec focuses on security analysis for mobile applications. It is a sector which is not new, in spite of our birth is dated 2015. In those days, we had noticed that the approach to cyber security mobile was wrong, as started by the preconceptions tied to a web application, while the world of the app is focused on dialogue, client-server, much more like traditional desktop software. Steve Jobs himself had called it “desktop class applications” in the software that could be downloaded from the app store, and in fact even the development tools on the Apple platform are the same for iOS, macOS.
The approach of analysis adopted in the market until then was therefore a big mistake, “conceptual” because it focuses on the code review and the communications of the network compared to the real usage of the app. We have therefore set up, first in Italy, a platform dedicated exclusively to the analysis of mobile apps: if a web application is tested only on code and the network, we have 18 levels of investigation that I am taken in to consideration.
Also, the security of an app is not tied only to what happens in the app, but it is also based on what is happening around: the interaction with the os, with other apps, external devices etc., And also this is a different model than what was done previously. All of this in the world of web application is being tested -if all goes well – once a year or at major releases, while in the mobile world must be brought to an end practically with every minor update, and otherwise in a continuous manner. Thanks to this approach, it is possible to generate a security report in its entirety in about two days. In a nutshell, we work by “White Hat”: we are enemies of ourselves, because we are constantly trying to break through the app to our customers, working in a black box, without asking them in advance any documentation of any kind.
Coming to Immune, you are offered you, or you have been contacted by the Ministry?
Our direct contact has been Bending Spoons, we were contacted by them in the first place. They called us when they had a Release Candidate, and wanted to be sure that from the outside their work was unimpeachable. The test lasted about 10 days and has produced an assestment in-depth, on both iOS and Android.
Between these two platforms, there is a “better developed”?
Both versions were of a high level already in the phase of the RC, when we got there. They were very solid, we have shared with Bending Spoons some of the considerations that have been fixed practically in real-time by the developers. The security level was very high, thanks mainly to the technological choice made upstream, or adopt the Google SDK and Apple, which already had excluded a whole range of risk factors. On this Bending Spoons is acknowledged as one of the best Italian software houses in the mobile world.
Android and iOS are interoperable? That is, if I have an iPhone and am in contact with an asymptomatic which has Android, will I receive notification?
Yes, absolutely: in our tests, we used both platforms, making them interact with each other. Compliance is cross-platform.
And with regard to the impact of the battery?
Consider that some of the phones that we use are heavily modified, with performance test, always active in order to analyze the impacts of our platform in the overall use of the device. Also in these devices, the presence of Immune has not had any significant impact on the level of battery drain.
Thanks to the use of bluetooth Low Energy, the radio part of the phone is only active at the moment of contact, then in two consecutive weeks of testing we have not noticed a significant impact with regard to the autonomy of the devices.
The notification of Immune is triggered only when the risk index exceeds a certain threshold. This is calculated on a series of parameters, among which also the distance and the time of contact. How much it affects the accuracy of BTLE on iPhone in this context? Have you noticed significant differences compared to Android?
In addition to the tests on the smartphones, we also apply a series of external devices, between which a repeater bluetooth, which allows a measurement of rather precise values radio generated. The two parameters used for evaluation of the contact are the exposure time and the “quality” of the contact, measured on the strength of the signal. This allows you to distinguish who is physically in the same room from those who you just passed to the side while you’re in the middle of traffic. The repeater bluetooth in our laboratories was working slightly better on iOS, but we don’t know if it is a better implementation of the protocol BT on iOS, or simply linked to the detection of thumb that we recorded in our tests.
The use of GPS, at the moment disabled on the Immune, would lead to significant benefits?
Android asks necessarily the access to the GPS because the same structure of that operating system requires that, in order to access the BTLE, it is necessary to grant the app the permissions to use the GPS. The operating system of Google in fact considers all of the network connections (BT, NFC, GPS, WIFI, 3G/4G/5G, etc) under a single heading “NETWORK”. Apart from this aspect, none of the two platform uses the GPS, since there would be significant benefits. The GPS in this context would give a precision that is less than what allows the interaction between the two BT, would consume more battery, and would create significant problems in terms of privacy, since the location is sensitive.
The effectiveness of an app of contact tracing is related to its dissemination on the part of the population. Even if you do not reach the 60% assumed for its optimal operation, the app would still be a useful tool?
Absolutely, there are numerous studies (MIT, Oxford) about it by which it can be seen that even a use above the 10% of the population can significantly reduce the spread of infection. Certainly not can be regarded as the only weapon at our disposal, because it has to be inserted in a context that is tied to pads on one side and to the health facilities on the other. Then also a spread of less allows you to analyze data and build mathematical models very accurate and useful to the containment.
For further information you can contact Alberto Zannol to your email address.