New: A university in Michigan is requiring all students to install an app that tracks their location around the clock. Students can't opt-out. If students refuse, they face suspension. Worse, the app had two major security flaws that exposed private data. https://techcrunch.com/2020/08/19/coronavirus-albion-security-flaws-app/

The origins of the app, called Aura, are unclear. Aura is built by Nucleus, a recruiting firm with no apparent history or experience in building contact tracing apps.

Fearing an outbreak, students can't leave campus without permission. The app will alert the school if they do.

There's already outrage from students and parents alike. One of the school's own students, who decompiles apps on the side, analyzed the Aura app. She found hardcoded secret keys for the app's cloud database and storage servers embedded in the app's source code.

TechCrunch downloaded and tested the app, and immediately found another serious security vulnerability that allowed us to infer the COVID-19 test results on thousands of students. I asked @chronic for his thoughts. A security review would've found those bugs, he said.

In both cases, Aura's app maker, Nucleus, quietly fixed the vulnerabilities without acknowledgement. Nucleus didn't respond to any of our emails. TechCrunch learned this week that the university's president ordered a security review of the app — two weeks after it launched!

Anyway, here's the story. The whole thing is, frankly, a massive clusterfuck, and a lesson in how universities should not welcome students back to campus. https://techcrunch.com/2020/08/19/coronavirus-albion-security-flaws-app