TÜViT testing the IT and Data Security of the Corona Warning App

TÜViT is commissioned by the German Federal Office for Information Security (BSI) to test the Corona Warning App.

After the corona lockdown of the previous months, the signs in Germany are increasingly pointing toward the restrictions being withdrawn. A corona warning app, which is currently being developed at full speed by SAP and T-Systems, is intended to support this process. The IT security of the app and its compliance with the data protection principles are now to be checked by an independent body. TÜViT was recently awarded the contract for this by the German Federal Office for Information Security (BSI). Among other things, the involvement of TÜViT is intended to ensure greater acceptance in society.

The corona pandemic is still having an effect on life in Germany. Even so, the measures that have been taken in the meantime have had an impact. Through appropriate relaxation measures, social life and the economy are gaining momentum once more. However, if new chains of infection do arise, transparency and speed will be the decisive factors for containing the renewed spread of the virus.

Many countries are therefore relying on the use of digital tools such as corona apps. There is agreement on the following in professional circles: Only if such apps are used by around 60% of the population can a significant effect be achieved. Acceptance by broad sections of the population is the key to the across-the-board use of the app, explains Dirk Kretzschmar, the Chief Executive Officer of TÜV Informationstechnik GmbH (TÜViT). This is exactly where the IT security experts from Essen come in. "With a TÜViT test, we can significantly increase public confidence in the use of the app so that much more restrictions can be lifted," Kretzschmar is convinced.

IT security, data protection and personal rights have already been given the highest priority in the app development process. For example, no movement profiles are tracked. Instead, Germany is putting its faith in a decentralized approach with tracing by means of Bluetooth technology. Here, the distance between two smartphones is measured. If it falls below a critical value for a certain period of time, the devices exchange an encrypted code. It is only subsequently that a user will possibly learn – completely anonymously by means of a comparison exclusively on the smartphone – that he or she has had direct contact with an infected person. Furthermore, the principle of voluntary action applies. This starts when the app is downloaded. It is up to the individuals affected to decide whether to report their own infection. If you delete the app, the data will be erased as well. On the other hand, no personal information is collected whatsoever.

"Whether these requirements have actually been implemented in detail is the subject of our tests," explains Christian Freckmann, Head of Business Security & Privacy at TÜViT. Around him, pentesters are already analyzing the first delivery of source codes. Data protection experts then check, for example, whether data protection guidelines, declarations of consent and the data protection concept have been adequately implemented. "We prepared ourselves thoroughly and have blocked capacities. Nevertheless, overtime is currently the order of the day at TÜViT's offices in Essen," adds Freckmann. After all, the intention is for the app to be available as quickly as possible. However, this is not possible without the requisite degree of care.

TÜViT is convinced of the possibilities that the IoT offers. But there are also dark sides. IT and data security is therefore also an absolute must in times of the coronavirus. "With our testing we are assuming responsibility and would like to make an important contribution to the success of the new corona warning app. We very much hope to further advance solidarity throughout Germany by digital means", is Kretzschmar's motivation.


Verena LingemannEditor

Tel.: +49 201 8999-658
Fax: +49 201 8999-888
Recommend this page: