Narseo Vallina-Rodriguez

**Name of the Vulnerable Software and Affected Versions** Radar COVID versions prior to 1.0.8 (uniform distribution) and 1.1.0 (exponential distribution) on iOS Radar COVID versions prior to 1.0.7 (uniform distribution) and 1.1.0 (exponential distribution) on Android Radar COVID Backend versions prior to 1.1.2-RELEASE **Description** The issue allows identification and de-anonymization of COVID-19 positive users when using Radar COVID. This is caused by the fact that connections to the server are only made by COVID-19 positives, enabling any on-path observer to identify which users had a positive test. The attacker may also de-anonymize the user by correlating Radar COVID traffic to other identifiable information from the victim, such as contract information or user-generated flows containing identifiers in the clear. The vulnerability has been mitigated with the injection of dummy traffic from the application to the backend. **Recommendations** Update iOS Radar COVID to version 1.0.8 (uniform distribution) or 1.1.0 (exponential distribution) to fix the issue. Update Android Radar COVID to version 1.0.7 (uniform distribution) or 1.1.0 (exponential distribution) to fix the issue. Update Radar COVID Backend to version 1.1.2-RELEASE to fix the issue.