The current Covid Radar app for Android, as reported and posted on GitHub by developer Jorge J. Ramos, contains a trace to Firebase, a Google tool frequently used in application development, primarily to obtain analysis and error information.
As we indicated in our in-depth analysis of the Covid Radar Code, currently Android app code does not match code posted on GitHub, and one of the differences is precisely this: the trace to Firebase is not in the GitHub version, but in the version 1.0 currently used on Android.
What Firebase is and what it is used for in Radar Covid
Firebase, as Google itself explains, is a tool that allows you to record events in apps. In other words, serves, among other things, to send error reports to the developer. The main “problem” is that in order to send these reports, it collects various data along the way: model of phone that downloaded the app, time of use, etc.
In the case of Radar Covid, the Secretariat tells us that Firebase was used to detect bugs in the application and thus accelerate its development
Every developer can use Firebase for a specific purpose. From the Secretary of State for Artificial Intelligence (SEDIA), they tell us that this tool was used during the test phase of the application to “accelerate development” (detect Bugs) and that in the updated version (the one published on GitHub), it is no longer implemented.
“For greater clarity, no user data has ever been collected. It was just used during the testing phase to speed up development, no more. In the updated version, you can see that it is gone. ” SEDIA spokesperson.
Although it is not known exactly what Covid Radar data collected during its testing phase, SEDIA ensures that no data has ever been collected from users. The privacy concerns with this code are that according to the GDPR (General Data Protection Regulation), apps are required to report the presence of external code (in this case, Google), which has not been done. .
If it is true that they have skipped this step since the full version will not use Firebase (as reported by SEDIA), considering that Android version 1.0 has traces of software, it should have been indicated in accordance with the regulations.
Does Firebase pose a privacy risk?
Not at the beginning. In the first place, because the frequent use of Firebase is to perform analysis on errors and the use of the application, which SEDIA subscribes to, claiming that it was used in the development phase of the app to streamline the process. The current application contains a trace to Firebase, but there are no explicit references in the code to Firebase itself. What there is is a reference to a folder called “Pods”, a small holdover from a system called Cocoapods, the recommended way to implement Firebase.
Version 1.06, published on GitHub, no longer contains traces to Firebase. From SEDIA, they tell us that this is the version that will come to Android, with the relevant modifications
The most important thing here is that the version published on GitHub, which is the most recent version, no longer contains this code. In fact, if we look at the version of Covid Radar for iOS, 1.07, this trace is not present. On Android we still have version 1.0, which is outdated and contains gaps with the GitHub code.