The federal government has been accused of short-circuiting efforts to build community trust in its rush to develop the COVIDsafe contact tracing app.
Though more than a million have so far downloaded the app, cybersecurity and privacy experts said the decision to shroud its development in secrecy and launch it without extensive testing or consultation undermined public confidence and increased the risk of safety and security flaws.
A slew of concerns and shortcomings have been raised since the COVIDsafe app was launched on Sunday, including compatibility issues with Apple iPhone operating systems, vulnerability to 'man in the middle' hacks and the impregnability of the centralised data storage.
Executive director of the Optus Macquarie University Cyber Security Hub, Dali Kaafar, said an examination of the app's code for the Google platform appeared to back the government's claims about how the app worked, including the type of information collected, how long it was kept and in-app encryption measures.
But Mr Kaafar warned of the risk that information transferred between the app and the national data store could be intercepted by hackers.
He said the security hole could be fixed, but was the sort of issue that could have been picked up during development if the government had shared key technical information with the cyber security sector.
The government has promised to release the app's source code, something a spokesperson for Health Minister Greg Hunt said would happen "in coming weeks, subject to final advice from cybersecurity agencies".
But Mr Kaafar said research showed that best way to try and ensure robust and secure systems was to share code widely during development and testing rather than after public release.
His concerns were shared by Australian Privacy Foundation chair David Vaile, who said the approach taken by the government undermined public trust and confidence.
"The way this app has been released, with incomplete information, incomplete protections and no consultation, is very disappointing," Mr Vaile said.
He said the government's decision to withhold critical technical information like design specifications during the app's development, and the failure to consult "outside the Canberra bubble" on the accompanying Privacy Impact Assessment, undermined public confidence.
"None of this was available before the app was released, so there has been no opportunity to help spot and avoid overlooked mistakes, unintended consequences or foreseeable risks," he said.
One of the consequences, according to University of Wollongong information science professor Katina Michael, is that there are serious problems with the way the app works on Applie iPhones.
Professor Michael said it appeared the app needed to be on and active to work, which was a particular problem for iPhone users because the operating system would not let it run in the background.
In addition, she warned, it could be a big drain on the phone's battery.
"There is a major chink in the design. And little attention was placed on user device performance. We haven't done enough field testing and this means the device will likely not work as it drains people's batteries," she warned.
But Cybersecurity Cooperative Research Centre chief executive officer Rachael Falk, who was involved in reviewing the apps security parameters, expressed confidence in the safety of information collected.
"Given the limited nature of the personal data collected and the intended operation of the app, the CSCRC is satisfied with the integrity of its security and privacy features," Ms Falk said. "This is our path to recovery. This is a health app, not a surveillance app. This is about saving lives and getting Australia and Australians back to normal."
eSafety Commissioner Julie Inman Grant has also backed the use of the COVIDsafe app despite warnings on the organisation's website of the susceptibility of Bluetooth technology to eavesdropping and remote access.
Ms Inman Grant said online safety was a matter of degree and must constantly be balanced with other considerations.
She said there were measures users could take to improve Bluetooth security including strong passwords and high security settings.
She said her organisation had been consulted in the development of the app and supported its use.
"These are extraordinary times and require extraordinary measures," she said. "We strongly support the CovidSafe app, the citizen protections that were deliberately built-in and the campaign around it."
Our COVID-19 news articles relating to public health and safety are free for anyone to access. However, we depend on subscription revenue to support our journalism. If you are able, please subscribe here. If you are already a subscriber, thank you for your support. If you're looking to stay up to date on COVID-19, you can also sign up for our twice-daily digest here.