Translated Press Release: Covid-19 Apps show Software Development in Crisis
In November, the DeepSec security conference will highlight the software masquerade.
In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail.
Magical phones with infinite Intelligence
The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas in scripts for feature films and series. Software that runs on small portable phones is said to solve the most complex tasks and, with a simple swipe of your fingers, deliver results that could only be achieved through years of work in the past. In fact, most applications only scratch the surface. One tiny detail is often forgotten: What does the code do without an Internet connection to huge server farms and databases that you can’t even see on the touchscreen? Apps are just a shift in the facts. If the smartphone stays cool and the battery lasts a long time, the magic actually happens somewhere else. Almost nothing on the end device is smart, due to the lack of available performance.
It’s about the complexity of building an infrastructure behind the actual app you see. Without interaction with the big siblings in data centers, the applications on the phone in hand are reduced very quickly. In this scenario, data is not just crude oil, it is also the fuel of digitization. However, the drive does not work as you think. End users are the source of digital gold. You are not at the wheel, but deep in the borehole.
Lack of Security Design
Modern code does not come from nowhere. When developing applications, you either have to build on existing code or create libraries yourself. Even with a mixed construction, at least months pass to halfway achieve a tested design. When there is a lot of pressure on completion, software development likes to take shortcuts. To make matters worse, the design begins with the questions of the problem to be solved and focuses on features right from the start. The implementation of secure code and secure design is usually left behind. Such developments are very common in the field of smart home devices.
A frequently used argument is the controlled publication of applications via the manufacturers’ app stores. Of course, tests run there, but a checklist that runs in less than a minute can hardly detect any security weaknesses or even design errors. In view of the large number of programs available in the virtual stores, something will inevitably slip through inconspicuously. Finding gaps and threats is much more time consuming. Security experts are often asked whether a certain product is safe. An immediate response is expected. This is not realistic and only works in the movie scripts mentioned at the beginning.
Software as a Masquerade
Promise and reality are rarely close to each other in digitization. There has been a lot of discussion about the Austrian Corona Tracing app in the past few weeks. It was primarily about privacy and app security concerns. If you go back several steps and question the quality of the data that this app is supposed to collect, the result shows a completely different picture. Ross Anderson, a British computer scientist at the University of Cambridge, analyzed the accuracy of the smartphone platform in an article entitled “Contact Tracing in the Real World” (published in the Light Blue Touchpaper blog of the computer science institute). His conclusion: The development of an app ties up more resources than the benefits of such an application can outweigh. Bruce Schneier, an American expert in cryptography and computer security, writes on his blog about the effects of positive and negative false reports from a Corona app. Looking at this aspect alone disqualifies the app for use in the real world. Security and data protection have not yet been considered in this analysis. Schneier’s article “Me on COVID-19 Contact Tracing Apps” can be read online.
Furthermore, a smartphone is an unsuitable platform for infectious diseases. Since GPS is too imprecise, one tries to use Bluetooth for the measurement of presence and distance. Bluetooth LE (Low Energy) is often used on the devices to extend the battery life. However, the measurement of the signal strength with Bluetooth LE is only suitable for a passable resolution if people are separated by massive structural measures, such as reinforced concrete. Materials such as wood, plaster or thin stone are permeable to the measurement. In addition, you have to fight with reflections that distort direction and range. According to data sheets from the chip manufacturers, the reception power fluctuates in some cases by a factor of 100. Furthermore, Bluetooth LE is designed as a system with a single antenna. This means that the direction of the signal cannot actually be determined. This requires several antennas. On top of that, people like to hold their smartphone in different positions, which introduces another blur. Even in the laboratory the localization errors are so high that this technology is eliminated. Scenarios such as local public transport, shops or restaurants were not considered at all, let alone walking on the street or in narrow stairwells (where Bluetooth LE signals can be measured behind every door). The key rings already mentioned publicly should not give the situation any significant improvement. Physics is very ruthless here.
The excursion makes it clear: Unfortunately, software is no longer only used to solve problems. It is often used to mask open questions and to fake solutions. This is a masquerade that we find in many areas of modern society. The task of security experts is to see through this masquerade. Without the distribution of Sars-Cov-2, “Masquerade” was therefore chosen as the motto for the DeepSec In-Depth Security Conference taking place in November. Information security is always about a look behind the scenes. Code needs to be de-constructed and analysed. Software architecture has to be questioned. Weaknesses in design have to be identified.
Disenchanted Digitization as a Blueprint for Improvement
The arguments and approaches given here are not a blueprint for the price increase in digitization. The declared aim of the DeepSec conference is to bring people who are entrusted with various aspects of modern information technology to one table and to get them to exchange ideas. The approaches mentioned for a corona tracing app are just a striking example. Security experts regularly warn that a solid – secure – design is essential for applications. One is therefore well advised to consult the experts before talking yourself into a dead end.
Digitization can only bring progress if the underlying approach is carefully thought out. Every trip to the cinema can easily illustrate this: No film with a bad script gets better if you show it to the audience in high resolution or even 3D. You then unfortunately only see an expensively produced fiasco – as sometimes in software development. Despite its motto, the DeepSec conference therefore does not want to offer a masquerade, but rather to give all participants the opportunity to exchange ideas with experts. It is about looking behind the mask and evaluating what is really behind a technology. For this purpose, trainings are also offered that offer highly concentrated hands-on, usable knowledge in two days. The first training units are already online and can be booked.
Take the opportunity before your product fails even before it is on the market. It should be noted that this sentence applies particularly to decision-makers outside the market who want to digitize companies and citizens at another level. Writing down digitization as a word and constantly repeating it all by itself is not enough.
Programs and Booking
The DeepSec 2020 conference days are November 19th and 20th.
The DeepSec trainings take place on the previous two days, November 17th and 18th.
DeepSec is located at the hotel The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.
You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.
Sources of the quoted articles by Ross Anderson and Bruce Schneier:
https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/
https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html