A while ago I ran a test against the FBI Fit Test looking to see what if any data it sent when in use. The short answer is in my short test using one piece of software, I saw nothing.

So, why not take a look at the new COVIDaware MN app? We’ve heard that a lot of them are leaking data like sieves. I haven’t seen anyone show the leaked data but I also haven’t looked very hard.

First, I download the app. Simple enough. I’m using the iOS version.

I fired up Zap and started to see what came through when I started the app for the first time.

It was bare. Only my email that runs in the background every time I want to screenshot the data I get.

I piddled around to see if anything would go through and nothing did, so I chose to Check for Exposures.

This got us a ding. Well, it kinda has to doesn’t it?

So it connects to two servers (the blue is my email) and only does GET requests.

One server looks like it’s telling the app the parameters to look for.

While the other downloads the exposure data to ramble through.

Zap tells us they are using Azure to hold the data.

I export some data since it’s only zipped data.

Unzip the data and find 2 files.

A quick look at export.bin pops up something to use the interwebs to search for. EX Export v1

First result looks promising…

And to read about that Google has some pretty in depth documentation.

What happens when someone presses the Report Result button? For that I have no idea. I’ll let someone else take a look at that. Same for how it communicates over bluetooth.

Will I keep this on my phone? Yes.

Should you download and install it? Why are you asking me? The data I found is above. If that makes you feel comfortable, great. If you need more info, be on the lookout for others who also will be doing run downs on the app and see what you can learn.

Leave a Reply

Your email address will not be published. Required fields are marked *