Why some COVID-19 apps need location services

Hint: It's not because they want to track you or your phone

If you downloaded a COVID-19 app recently, like COVID Alert, you may have been surprised that the app requires location services on Android. After all, we were promised that these apps cannot see our location. So what gives? Are these apps secretly spying on us? (Spoiler: the answer is no.)

Many of these apps use an API (more on what an API is in a second) provided by Apple and Google to perform the actual exposure checks. This API is called the Exposure Notifications API. It was announced back in April 2020 by a joint press release from Apple and Google. Many COVID-19 apps made since then use this API, and you can tell if the one you downloaded does by looking for this symbol on the app's listing in the Google Play Store (that is, if the symbol is present, the app uses this API).

It is important to note that this article is specifically talking about the COVID-19 apps that use this API, such as Canada's COVID Alert or Germany's Covid-Warn-App. Apps that do not use this API are out of scope of this article and are not discussed any further.

Okay great, but why do I care about this API? And what even is an API?

Let's address that second question first. An API is essentially a predefined task that a program can run. If we wanted to make an iffy analogy, you could consider yourself to be a program and the gas pedal in your car to be an API. The gas pedal has a predefined behavior; you simply interact with the gas pedal and your car starts moving. You do not have to worry about how that gas pedal works, it just does. That is all an API is, a pre-defined task that a program can run if it wants to.

Alright, now that we know what an API is, we can move on to the first question. The Exposure Notifications API is core to this entire article because it is the mechanism by which said apps check for potential viral exposures. That is, the apps themselves are doing very little work. Most of the work is performed by this API. And it is this API, in fact, that requires location services, not the app. Going back to the earlier analogy, the app is just pushing the gas pedal. So what we are really discussing is why this API needs access to location services. (Why this distinction matters will become clear later on.)

Alright, so why does this API need location services to be turned on?

The API works by using a technology called Bluetooth Low Energy scanning. Essentially, BLE scanning is a mechanism by which a phone (or similar device) can listen for wirelessly transmitted identifiers from other electronics. For example, Walmart could place electronics in their store that broadcasts a unique store identifier. They might then design their mobile app to listen for these identifiers, allowing the app to notify you of sales in your local Walmart upon you entering the store.

The API takes advantage of BLE scanning by making everyone's phone do two things:

  • Broadcast a unique identifier that is changed every 10 to 20 minutes
  • Listen for identifiers from other phones and record them

When someone tests positive, their COVID-19 app shares its unique identifiers with other phones. Those phones then check to see if it has seen any of those unique identifiers. If it has, it might then tell you that you were, at some point in the past, close to someone who was since diagnosed with COVID-19. I say might because different COVID-19 apps have different criteria for notifying users. Some might require that you were near someone who was diagnosed for 15 minutes, while others might have no time criteria.

Unfortunately, Android does not let apps use BLE scanning if location services is turned off or if the app does not have permission to access your location. More on this in a second.

Note: I am slightly over-simplifying when I say it "shares its unique identifiers with other phones." It is actually a bit more complicated but, fortunately, exactly how it works does not impact the point of this article. If you are a technically minded individual, I encourage you to read the API's cryptography specification.

Wait, wait. Why does BLE scanning require location services to be on?

Good question. This has to do with what an app is capable of if it were acting malicious. Consider our Walmart example from earlier. In that example, the Walmart app is clearly able to determine which specific store you are in (after all, that was the whole reason that it is using BLE scanning). So that would mean Walmart is able to tell where you are, at least if where you are is a Walmart. But now what if Walmart placed their identifier broadcasting electronics at every traffic light in New York City? Well now Walmart could track you almost anywhere in New York City. This is an obvious problem; apps that use BLE scanning could track you by looking at what identifier broadcasting electronics you are near.

To solve this problem and to protect users, Google decided it would only let apps use BLE scanning if location services is turned on and if the app has permission to access your location.

But doesn't that mean the app can track me after all?

This is where that API vs app distinction becomes important. It is not the app using BLE scanning, but rather the API that is using it. In fact, if you check the permissions of your COVID-19 app of choice, you will see it does not have any location permissions. That is, it is not even capable of using BLE scanning. What is capable of using BLE scanning is the system app that does all the work for the API, Google Play Services. (Note that a "system app" is an app that is built into your phone, like the Gmail app. While it can be updated independently of Android, it is indeed built into your phone.)

So it is Google Play Services, not your COVID-19 app of choice, that has access to BLE scanning.

But how did I know that your COVID-19 app of choice does not have location permissions? I knew because apps are not allowed to use the Exposure Notifications API if they have, or even request, any location permissions. This is a protection built right into, and enforced by, the API.

So the COVID-19 app cannot track me but Google can?

If Google made Play Services do something other than what they said it does, sure. But it is important to remember that Google also made both Android and these very location protections. If Google wanted to act maliciously and track you, they could have easily added tracking into Android that bypasses these restrictions.

So yes, you are trusting Google to not maliciously track you, but you are already doing that just by having an Android phone. The reality is, if they wanted to spy on you, this would be one of the silliest ways to do so.

Yeah, but if Google really could modify Android to silently track you, why wouldn't they just make this API work silently?

This is a consequence of the current state of affairs of Android updates. Unfortunately, due to how Android is distributed, updates to Android are very dependent on both mobile carriers and individual manufacturers. For instance, if you bought a Samsung device from Rogers, updates to your phone are dependent on both Samsung and Rogers working to give you those updates in a timely manner. That is, if everyone had to wait for their phone to get a newer version of Android, then most people would not be able to use these COVID-19 apps until well after there is already a vaccine for COVID-19.

Furthermore, many people still use older versions of Android. In fact, up to 40% of people still use Android 6 (with the latest version of Android being 10). The reason that many of these people are using such an outdated version of Android is simply because their manufacturer (or carrier) has not made newer versions of Android available for their phones; it is normal for phones to stop getting updates after several years. Thus, if everyone needed the latest version of Android, a very large percentage of people would either need to get new phones or accept that they can never use COVID-19 apps.

To solve both these issues, Google added support for this API via an update to Play Services, a system app on almost all Android phones. Since Play Services is an app that is often updated, like any other app, Google was able to add support for COVID-19 apps to phones running older versions of Android. That is, they found a pretty smart way to bypass the update issues of Android while supporting older phones.

Thus they could not make this API work silently because Android was not designed with this API in mind. It is operating under the same (or similar) limitations as any other Android app on your phone. Thus the API needs location services to be on, as would any other app that uses BLE scanning. This is not Google trying to spy on you, it is Google playing by its own privacy protection rules.

Update 2020-09-08: As of Android 11, the Exposure Notifications API no longer needs location services to be turned on. Older versions of Android will still need it to be turned on for the reasons mentioned above.

Okay, fair enough, but now other apps on my phone can track me!

Not quite. While the API does require location services to be on, it does not require you to give location permissions to other apps. You can, if you so desire, revoke location permissions from all apps on your phone (with the sole exception of Play Services, which needs to have location permissions for the API to work, as described above). By doing so, you are guaranteeing that no other app on your phone can track you.

Final words

These COVID-19 apps cannot track you in any way whatsoever. There are strong protections in place to stop them from tracking you even if they tried. These apps respect your privacy while protecting the health of you and your loved ones. Do everyone you care about a favor, and use your country's COVID-19 app.