How a tracking app can balance security and privacy during a health crisis.


The COVID-19 pandemic that spread through the world in early 2020 hit Italy hard, forcing the population into a lockdown that lasted more than two months. There was a need to track people who tested positive for COVID-19.

On 1 June 2020, the Immuni application, the official Italian COVID-19 tracking app, was released to help manage the emergency through the contact tracing technology.



It was important to reassure public authorities and public prosecutors about the app’s security, given the sensitivity of the data involved.

Mobisec was called to test the App, and was actively involved in the project. Our main task was to make sure that Immuni users’ privacy and security were protected against potential threats and criticism. We were approached to ensure the app’s security, data processing, compliance with GDPR regulations, and users’ privacy.

We balanced the need to track the contagion with personal data safeguard, while still making sure that the app was effective.

Key points


analysis of vulnerabilities

We conducted an analysis of vulnerabilities and privacy issues in the use of operating systems.


In-depth experiments

We obtained access to operating system releases and conducted in-depth experiments on the app’s data exchange and networking, focusing on code quality and user data management.


permissions management ANALYSIS

Despite Google/Apple library was sound, we highlighted some concerns about the application’s permissions management. We worked to revise the permissions list, while ensuring app functionality and quality


Obtain the same results.