The NHS Covid-19 app has finally been given an update to address the glitch causing phantom notifications which led to widespread alarm among users.
England and Wales’s contact-tracing app is based on the software blueprint laid out for free by Apple and Google.
Many people have reported receiving the bizarre alerts over the last two weeks which were said to be ‘default messages’ from Apple and Google.
They can say ‘Possible COVID-19 exposure’, ‘COVID-19 EXPOSURE LOGGING’ or ‘COVID-19 Exposure Notifications’.
However, despite being highly disconcerting, these are not warnings that the user has been in close contact with someone diagnosed with Covid-19.
The Department of Health blamed Apple and Google for the glitch, and the tech giants neglected to explain why the notifications were appearing and what their purpose was.
Now, in a secretive update to the app rolled out today, the Department of Health has eventually tackled the issue – albeit in a rather inelegant way.
The notifications in their current guise will still appear, but people who receive one will then also get a follow-up alert telling them to ignore it.
It will read: ‘COVID-19 Exposure Check Complete. Don’t worry, we have assessed your risk and there is no need to take action at this time. Please continue to stay alert and follow the latest advice on social distancing.’
It remains unknown if users will have to manually update their app via either the Google Play Store of Apple’s App Store, or if it will upgrade automatically.
Pictured, the notification which will follow one of the so-called ‘phantom alerts’. This workaround is designed to quash any concern users may have after receiving the initial notification
Many users were getting alerts which were ‘default messages’ from Apple and Google, saying ‘Possible COVID-19 exposure’, ‘COVID-19 EXPOSURE LOGGING’ or ‘COVID-19 Exposure Notifications’. Pictured, an example of the phantom notification which was sent out last week
Pictured, an example of one of the confusing alerts on Android. The NHS Covid-19 app has finally been given an update to address the glitch
Last week, MailOnline reported that Apple, Google and the Department of Health all refused to explain why the issue was occurring, what was causing it and and if anything was being done to fix it.
Both Apple and Google both declined to comment.
Meanwhile, the Department of Health said: ‘NHS COVID-19 app users only need to self-isolate if they get a notification directly from the app advising them to do so.’
The only other official guidance came from an obscure FAQ sheet on the NHS website, which also explains that the notifications cannot be turned off.
When asked for a new comment today regarding the update, the Department of Health gave the exact same statement.
While being bereft of detail and offering little in the way of explanation, this means users should only self-isolate if the app itself has sent out an alert, not a default message from Apple and Google which bypasses the app.
This subtle distinction was not explained to users and is tricky to spot for the untrained eye.
The best way to tell them apart is either by clicking on the notification and seeing what happens, or by the wording of the notification.
According to DHSC, a true notification will read: ‘The app has detected that you have been in contact with someone who has coronavirus. Please stay at home and self-isolate to keep yourself and others safe.’
Messages from the NHS COVID-19 app will also not ‘disappear’ when you click them, and you will be able to see the advice for you within the app when you open it.
This image is what the NHS Covid-19 app looks like following a legitimate notification from the app. When clicking on a notification, if it vanishes, it is a default message and should be ignored. If a screen like this appears, then you may have been exposed to coronavirus
The ‘Protect Scotland’ app is also susceptible to the ghost notifications, according to a ‘How It Works ‘ sheet, but only for Apple devices. It looks like this image, according to the official website
The Apple-Google API is also used by Covid apps in dozens of countries around the world, including those of Scotland and Northern Ireland.
The ‘Protect Scotland’ app is also susceptible to the ghost notifications, according to a ‘How It Works’ sheet, but only for Apple devices.
‘App users with Apple devices may receive weekly notifications referring to COVID-19 Exposure Logging,’ it reads.
‘These messages are autogenerated by Apple iOS and do not form any part of operation of the Protect Scotland app.
‘They are not a close contact alert and do not require you to self-isolate.’
Northern Ireland’s Department of Health told MailOnline that the phantom notifications were an issue that plagued the country’s app, called StopCOVID NI.
However, this is no longer an ‘active problem’ as the app has been updated to run on the most recent API, a spokesperson said last week.
Currently, more than 1.4million people have downloaded the Scottish app and almost half a million have the Northern Irish app, called StopCOVID NI.
Jake Moore, cybersecurity specialist at ESET, told MailOnline unreliable notifications could lead the app down the same street as the fable of The Boy Who Cried Wolf.
The NHS app (pictured) was launched on September 11 and is designed to find any close contacts an infected person has had before testing positive
‘If the device receives too many false positives, the owner will soon disbelieve any future genuine notification, resulting in a disruption of the real use of the app,’ he said.
‘Causing unnecessary self-isolation could potentially increase the cost to the government, too.
‘It is possible that the notifications within the app are test alerts to check response times, or other factors surrounding the devices, but without comment from the app developers, it may be difficult to know the full reason behind it.’
Javvad Malik, security awareness advocate at KnowBe4, a cybersecurity firm, adds: ‘It’s important for tech developers to take into consideration the user experience.
‘This is especially true for notifications. We see that when apps or software provide too many notifications, or the notifications all look the same, then users will very likely ignore them.
‘Similarly, notifications shouldn’t unnecessarily alarm people, especially when it comes to sensitive issues like exposure to COVID-19.’
The app has been besieged with issues since its conception at the very start of lockdown.
Matt Hancock initially hailed it as the single biggest tool in the fight against Covid-19, and the NHS began building its own version.
Originally, the NHS app was scheduled for release in May but was scrapped due to various flaws, such as draining batteries and spotting only four per cent of iPhones.
After a disastrous trial on the Isle of Wight, the NHSX app was abandoned in June at a cost of £12million.
Apple and Google has recently announced a separate system for regions that do not have the resources to develop a full blown app.
This system, called Exposure Notifications Express, will not require health authorities to build their own app, and it is hoped this simplified version will encourage uptake of track-and-trace protocols.
Public Health Authorities will have to authorise the system before it goes live in a specific region, and the tech giants say it is designed to work in conjunction with, not replace, existing track-and-trace apps.
How the NHS Covid-19 app works and the reasons behind some of its flaws
The NHS contact tracing coronavirus app , called NHS Covid-19, is based on a piece of software, an API, built by tech giants Apple and Google, who came together in an unprecedented alliance at the start of the pandemic.
It works via Bluetooth, which is fitted to almost every smartphone in the world, and involves a notification system to alert people if they have been in close proximity with someone diagnosed with Covid-19.
Apple and Google let the NHS determine what it deems to be suitable exposure for a a person to be considered at risk for infection.
The NHS set the limit as within 2m for 15 minutes.
However, Apple and Google have openly said the app is not perfect, due to the fact Bluetooth is being used for something it was never designed for.
Therefore, phones with the app installed can struggle to tell exactly how far away another device is.
Although the threshold is set at 2 metres, it emerged in early trials that people as far away as 4m were told thought by the technology to be less than 2m away.
Officials say that about 30 per cent of people told to self-isolate may have been more than two metres away from a positive case.
However, they claim most of these cases will be at a distance of 2.1m or 2.2 m, with 4m being a rarity.
Apple and Google have been aware of this issue since the inception of the project and have recently revealed they have used hundreds of different devices to help calibrate the system.
It is claimed the NHS app is more accurate than other contact tracing apps around the world which also use the Apple and Google API.
All the technology for the app is done in the phone itself, and no external servers are used, helping protect user data.
No location or personal data is sent to Apple, Google or the NHS and all interactions between phones are anonymous.
The randomised and untraceable links are only stored for two weeks on the phone itself before being permanently deleted.
A person can also choose to wipe their data clean, either in the app’s settings or by deleting the app.
In a conference call this week, representatives from both Google and Apple said the app is not intended to replace manual tracing, but to enhance it.
They added that, in the tests done in-house during development, 30 per cent of the exposure notifications that were triggered were not picked up by manual contact tracing.
For a person to receive am infection notification via the app, both they and the infected person must both have had the app at the time of their interaction.
During this interaction, on a bus for example, the phones acknowledge the device has met the 2m/15 min criteria.
The devices then automatically exchange anonymous ‘keys’ with each other via Bluetooth. The keys randomise and change approximately every 15 minutes.
If a person then receives a positive test, they receive a unique PIN from the NHS and input this in the app.
Once they have done this, all the anonymised keys from the phone of the infected person are added to a cloud database.
Every app is constantly checking in with the same cloud database to see is any of the ‘keys’ it has come into contact with match the keys of positive tests.
If a person’s phone finds a match, that person then receives a notification informing them they have been exposed and may be infected.
The app then provides that person with detailed information from the NHS on the next steps.
The mobile data needed for the app to work is being allowed free of charge in the UK by network carriers and it is believed the app has negligible impact on battery life.