Albion College, a small liberal arts school in Michigan, said in June it would allow its nearly 1,500 students to return to campus for the new academic year starting in August. Lectures would be limited in size and the semester would finish by Thanksgiving rather than December. The school said it would test both staff and students upon their arrival to campus and throughout the academic year.
But less than two weeks before students began arriving on campus, the school announced it would require them to download and install a contact-tracing app called Aura, which it says will help it tackle any coronavirus outbreak on campus.
There’s a catch. The app is designed to track students’ real-time locations around the clock, and there is no way to opt out.
The Aura app lets the school know when a student tests positive for COVID-19. It also comes with a contact-tracing feature that alerts students when they have come into close proximity with a person who tested positive for the virus. But the feature requires constant access to the student’s real-time location, which the college says is necessary to track the spread of any exposure.
The school’s mandatory use of the app sparked privacy concerns and prompted parents to launch a petition to make using the app optional.
Worse, the app had at least two security vulnerabilities only discovered after the app was rolled out. One of the vulnerabilities allowed access to the app’s back-end servers. The other allowed us to infer a student’s COVID-19 test results.
The vulnerabilities were fixed. But students are still expected to use the app or face suspension.
Track and trace
Exactly how Aura came to be and how Albion became its first major customer is a mystery.
Aura was developed by Nucleus Careers in the months after the pandemic began. Nucleus Careers is a Pennsylvania-based recruiting firm founded in 2020, with no apparent history or experience in building or developing healthcare apps besides a brief mention in a recent press release. The app was built in partnership with Genetworx, a Virginia-based lab providing coronavirus tests. (We asked Genetworx about the app and its involvement, but TechCrunch did not hear back from the company.)
The app helps students locate and schedule COVID-19 testing on campus. Once a student is tested for COVID-19, the results are fed into the app.
If the test comes back negative, the app displays a QR code which, when scanned, says the student is “certified” free of the virus. If the student tests positive or has yet to be tested, the student’s QR code will read “denied.”
Aura uses the student’s real-time location to determine if they have come into contact with another person with the virus. Most other contact-tracing apps use nearby Bluetooth signals, which experts say is more privacy-friendly.
Hundreds of academics have argued that collecting and storing location data is bad for privacy.
In addition to having to install the app, students were told they are not allowed to leave campus for the duration of the semester without permission over fears that contact with the wider community might bring the virus back to campus.
If a student leaves campus without permission, the app will alert the school, and the student’s ID card will be locked and access to campus buildings will be revoked, according to an email to students, seen by TechCrunch.
Students are not allowed to turn off their location and can be suspended and “removed from campus” if they violate the policy, the email read.
Private universities in the U.S. like Albion can largely set and enforce their own rules and have been likened to “shadow criminal justice systems — without any of the protections or powers of a criminal court,” where students can face discipline and expulsion for almost any reason with little to no recourse. Last year, TechCrunch reported on a student at Tufts University who was expelled for alleged grade hacking, despite exculpatory evidence in her favor.
Albion said in an online Q&A that the “only time a student’s location data will be accessed is if they test positive or if they leave campus without following proper procedure.” But the school has not said how it will ensure that student location data is not improperly accessed, or who has access.
“I think it’s more creepy than anything and has caused me a lot of anxiety about going back,” one student going into their senior year, who asked not to be named, told TechCrunch.
A ‘rush job’
One Albion student was not convinced the app was safe or private.
The student, who asked to go by her Twitter handle @Q3w3e3, decompiles and analyzes apps on the side. “I just like knowing what apps are doing,” she told TechCrunch.
Buried in the app’s source code, she found hardcoded secret keys for the app’s backend servers, hosted on Amazon Web Services. She tweeted her findings — with careful redactions to prevent misuse — and reported the problems to Nucleus, but did not hear back.
A security researcher, who asked to go by her handle Gilda, was watching the tweets about Aura roll in. Gilda also dug into the app and found and tested the keys.
“The keys were practically ‘full access’,” Gilda told TechCrunch. She said the keys — since changed — gave her access to the app’s databases and cloud storage in which she found patient data, including COVID-19 test results with names, addresses and dates of birth.
Nucleus pushed out an updated version of the app on the same day with the keys removed, but did not acknowledge the vulnerability.
TechCrunch also wanted to look under the hood to see how Aura works. We used a network analysis tool, Burp Suite, to understand the network data going in and out of the app. (We’ve done this a few times before.) Using our spare iPhone, we registered an Aura account and logged in. The app normally pulls in recent COVID-19 tests. In our case, we didn’t have any and so the scannable QR code, generated by the app, declared that I had been “denied” clearance to enter campus — as to be expected.
But our network analysis tool showed that the QR code was not generated on the device but on a hidden part of Aura’s website. The web address that generated the QR code included the Aura user’s account number, which isn’t visible from the app. If we increased or decreased the account number in the web address by a single digit, it generated a QR code for that user’s Aura account.
In other words, because we could see another user’s QR code, we could also see the student’s full name, their COVID-19 test result status and what date the student was certified or denied.
TechCrunch did not enumerate each QR code, but through limited testing found that the bug may have exposed about 15,000 QR codes.
We described the app’s vulnerabilities to Will Strafach, a security researcher and chief executive at Guardian Firewall. Strafach said the app sounded like a “rush job,” and that the enumeration bug could be easily caught during a security review. “The fact that they were unaware tells me they did not even bother to do this,” he said. And, the keys left in the source code, said Strafach, suggested “a ‘just-ship-it’ attitude to a worrisome extreme.”
An email sent by Albion president Matthew Johnson, dated August 18 and shared with TechCrunch, confirmed that the school has since launched a security review of the app.
We sent Nucleus several questions — including about the vulnerabilities and if the app had gone through a security audit. Nucleus fixed the QR code vulnerability after TechCrunch detailed the bug. But a spokesperson for the company, Tony Defazio, did not provide comment. “I advised the company of your inquiry,” he said. The spokesperson did not return follow-up emails.
In response to the student’s findings, Albion said that the app was compliant with the Health Insurance Portability and Accountability Act, or HIPAA, which governs the privacy of health data and medical records. HIPAA also holds companies — including universities — accountable for security lapses involving health data. That can mean heavy fines or, in some cases, prosecution.
Albion spokesperson Chuck Carlson did not respond to our emails requesting comment.
At least two other schools, Bucknell University and Temple University, are reopening for the fall semester by requiring students to present two negative COVID-19 tests through Genetworx. The schools are not using Aura, but their own in-house student app to deliver the test results.
Albion students, meanwhile, are split on whether to comply, or refuse and face the consequences. @Q3w3e3 said she will not use the app. “I’m trying to work with the college to find an alternative way to be tested,” she told TechCrunch.
Parents have also expressed their anger at the policy.
“I absolutely hate it. I think it’s a violation of her privacy and civil liberties,” said Elizabeth Burbank, a parent of an Albion student, who signed the petition against the school’s tracking effort.
“I do want to keep my daughter safe, of course, and help keep others safe as well. We are more than happy to do our part. I do not believe however, a GPS tracker is the way to go,” she said. “Wash our hands. Eat healthy. And keep researching treatments and vaccines. That should be our focus.
“I do intend to do all I can to protect my daughter’s right to privacy and challenge her right to free movement in her community,” she said.
Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: firstname.lastname@example.org