Apple has released its iOS 13.7 which includes COVID-19 ‘exposure notifications express’, functionality hoped to make it easier for health agencies to join its coronavirus exposure notification system without the need to build an app.
Termed ‘exposure notifications express’ is ‘only available when a Public Health Authority (PHA) supports it’, according to Apple and Google.
The organisations have configured its servers to notify potential Covid-19 exposure to its users without the need for an individual app to be downloaded. Notifications appear in the same way as a general system notification, where a dedicated Exposure Notifications app is not required.
The technology is currently being rolled out in the US where one of the problems previously was due to US states having differing contact tracing apps; interoperability between apps has been reported as troublesome.
For iPhone users, an opt-in to Exposure Notifications in a device’s settings will become available, where Android operating systems will generate a custom Android app through a configuration file.
The system will be built into iOS 13.7 which Apple launched yesterday, with the Android version deploying later this month to all users with Android 6.0 or higher.
If a user opts-in, a random ID will be generated for that specific device which change every 10 to 20 minutes to ensure location or your personal details cannot be identified.
A user’s phone and phone’s in the surrounding area will then work in the background to exchange ‘privacy-preserving random IDs via Bluetooth’. Both Google and Apple state that the app does not need to be left open for this information exchange to occur.
A user’s phone periodically checks all random IDs associated with positive Covid cases against its own list, where if a match occurs, an exposure notification will be sent to the user including information on how to keep yourself and people around you safe.
Apple have published a comprehensive list of steps that occur when verifying diagnoses and subsequently, sending a notification:
- First, a user with Exposure Notifications enabled on their iPhone running iOS 13.7 or later gets tested for COVID-19.
- The test centre or other health care provider determines that the user has a positive test result and reports it to the PHA.
- The PHA generates a verification code using the test verification server.
- The PHA sends the verification code to the user. The code may be emailed, read over the phone, or provided as a clickable deep link in a text message.
- The user enters the verification code or clicks the provided link to inform their iPhone of the positive diagnosis.
- The user’s iPhone contacts the test verification server to validate the verification code. If the code is valid, it receives back a long-term authentication token from the test verification server and stores it.
- If necessary, the user’s iPhone prompts the user for additional information.
- The user’s iPhone creates a hashed message authentication code (HMAC) calculated from the user’s exposure key data and sends it to the test verification server along with the user’s authentication token, receiving in return a certificate and additional per-key metadata.
- The user’s iPhone validates the returned certificate and metadata and stores them.
- iPhone prompts the user for permission to submit their keys to the key server.
- If the user grants permission, their iPhone uploads their temporary exposure keys to the key server along with the authentication token, certificate, and metadata received from the test verification server.
- If the test verification server validates the uploaded keys, it adds them to its database and returns a revision token that can be used to upload a diagnosis change for the uploaded keys.
On the system, Apple and Google said: “As the next step in our work with public health authorities on Exposure Notifications, we are making it easier and faster for them to use the Exposure Notifications System without the need for them to build and maintain an app.”
“Exposure Notifications Express provides another option for public health authorities to supplement their existing contact tracing operations with technology without compromising on the project’s core tenets of user privacy and security.”
