> The UK's coronavirus contact-tracing app is set to use a different model to the one proposed by Apple and Google, despite concerns raised about privacy and performance.
> The NHS says it has a way to make the software work "sufficiently well" on iPhones without users having to keep it active and on-screen.
> That limitation has posed problems for similar apps in other countries.
> Experts from GCHQ's National Cyber Security Centre have aided the effort.
At the time, I definitely saw people assuming that this meant that some kind of exploit was being used to achieve access to Bluetooth while the app was inactive, even though regular APIs do not permit this. The new technical information doesn't directly address this point, though the Register article does suggest a plausible alternative, whereby one user with an actively-running app can cause the app to wake on other users' phones by sending out a Bluetooth LE broadcast. I've no idea how this would perform in practice.
-I'd be surprised if some unknown exploit was being used to gain access to Bluetooth - basically, it would probably be too useful for other, more nefarious purposes, so it would be unlikely to be used in an app deployed to millions.
The Norwegian NHS equivalent had a similar app developed, running off-screen on both Android and iOS, using Bluetooth - though I have no idea how they pull it off.
Edit: The above paragraph is incorrect; my apologies. I did some research and found that the app only uses Bluetooth on iOS when the phone is unlocked; however the app itself may be off-screen.
While the phone is locked, it relies on GPS for positioning and presumably correlates location and time data to indicate whether you may have been exposed to an infected person or not.
Irrelevant anecdote - as I am typing this, Spotify put on The The's 80s hit 'Infected'. Hah!
Germany turned on a dime, and is going to use the Google/Apple solution. Denmark is about to turn on the same dime, as our solution mirrored the Norwegian solution, but had the same iOS problems (I only read that the government was strongly considering the Google/Apple solution, but no verdict yet).
> The UK's coronavirus contact-tracing app is set to use a different model to the one proposed by Apple and Google, despite concerns raised about privacy and performance.
> The NHS says it has a way to make the software work "sufficiently well" on iPhones without users having to keep it active and on-screen.
> That limitation has posed problems for similar apps in other countries.
> Experts from GCHQ's National Cyber Security Centre have aided the effort.
At the time, I definitely saw people assuming that this meant that some kind of exploit was being used to achieve access to Bluetooth while the app was inactive, even though regular APIs do not permit this. The new technical information doesn't directly address this point, though the Register article does suggest a plausible alternative, whereby one user with an actively-running app can cause the app to wake on other users' phones by sending out a Bluetooth LE broadcast. I've no idea how this would perform in practice.