UK said to be on verge of major technology shift for Covid-19 contact-tracing app

Insight into workings of NHS contact-tracing app

Computer Weekly talked to UK app and data recovery service Reincubate, which has been granted exclusive access to the app and insight into its workings. The company said that after testing the app until the morning of 7 May 2020, while there were questions about the app “staying alive”, and acknowledging that app developers have few options when it comes to keeping apps “alive” when they’re not active on a user’s device, the NHSX app has used “a few smart techniques” to gain better outcomes regarding power usage for an app detecting other devices.

In its analysis, Reincubate rebutted claims that the app uses private Bluetooth APIs by stating that the NHS Covid-19 app uses public Bluetooth APIs within iOS and doesn’t appear to take advantage of any special privileges. Instead, there are some clever techniques.

One of these techniques is focused on the behaviour of Bluetooth for suspended apps used on Apple iOS devices. Reincubate founder and CEO Aidan Fitzpatrick said: “We noted that Apple changes how an app can scan for new devices when suspended. Suspended apps aren’t able to correctly recognise devices that they haven’t seen before. It’s harder to look for signs of new devices, to communicate with them meaningfully, and in particular to identify non-Apple devices.”

Reincubate said it believed NHSX had approached the non-Apple device challenge the other way around. “Realising they couldn’t influence what iOS was doing in this regard, they’ve built clever stuff in their Android app to recognise the restricted, Apple-specific messages that a backgrounded app on an iOS device would send,” Fitzpatrick said.

“This gives the Android device enough information to be able to talk to the iOS device, waking it up into a state in which they can communicate. The situation without iOS is a little different; there’s a threshold whereby the NHS Covid-19 app can ‘go quiet’ when left in the background for a period of time, and device logs show examples of this. In this case, the app has been pushed to the background, but will be able to continue to scan (technically, 'broadcast') for over an hour and a half. Other events on the phone, including other apps using Bluetooth, can extend this.”

The company also claimed that in tests, iOS devices have continued to keep the background service running overnight.

As a consequence, Fitzpatrick concluded that it was not possible to say the app would become ineffective in iOS-to-iOS communication after a certain period of time. He added that there were some “less common” situations where iOS might try to completely suspend a background app, for instance where the system is running low on memory. Reincubate added that it was continuing to look into this and would be publishing more detail as things develop.

To date on 7 May there has been no official response by NHSX, but in a conference call attended by leading government scientists and Computer Weekly on 4 May, NHSX chief executive Mathew Gould stressed that even though there had been a lot of talk about the UK and Apple and Google taking different approaches, NHSX was working “very closely” with Apple and Google and that the development programmes were not “a competition”.

“There’s a huge amount of cooperation going on – we are all trying to achieve the same thing. And it’s natural for a new technology that we are testing different approaches and seeing what ‘unknown’ works,” Gould added.

“There are a good number of countries that are following a centralised approach like we are – for example, France, Japan and others – so it’s not the case that we’re going off in one direction and the entire rest of the world is going off in another. There’s a good number doing what we’re doing. We are talking to a range of countries, using all different models, about what an interoperable approach might be [and] how we can make sure systems can speak to each other. It’s not going to be straightforward, but it never is.”