Amidst the many changes happening at the University this fall, one may outlast the pandemic.
On July 30, UNC announced the launch of the new Carolina Ready Safety App, replacing the LiveSafe app. The app, developed in conjunction with UNC Police Chief David Perry and his team, brings new features, such as a mobile Blue Light system. But it has also raised cybersecurity and privacy concerns among students and faculty.
The Carolina Ready Safety App is built with AppArmor, which provides organizations with custom-branded safety apps, notification systems and more. AppArmor’s platform has been used at many universities across the country, including Columbia University, Vanderbilt University, the University of Chicago and the University of Florida, along with hospitals, such as Seattle Children’s Hospital, and police departments.
UNC Information Technology Services said in a statement via UNC Media Relations that the app was developed with feedback from various campus groups such as Student Government, Environment Health and Safety and Campus Police.
“Everyone who has a connection and responsibility to that technology, we wanted them to give us their insights, and they did, and that’s how we came to this conclusion,” Perry said. “We had a very detailed and methodical process to make sure we weren’t missing anything. And to make sure we were getting a good return on investment.”
Prior to his tenure at UNC, Perry served as the Chief of Police at Florida State University, which also uses AppArmor for its safety app, SeminoleSAFE.
Many of the features in UNC’s safety app pertain to COVID-19 — it offers a coronavirus information feed, as well as links to UNC’s Community Standards and campus mask distribution sites.
In addition, there are new safety features, such as a mobile BlueLight system that connects students to emergency services through location-sharing and is only operational on campus.
WorkAlone allows students and employees who may be working alone to request that a push notification be sent to them at certain time intervals. If the user doesn’t respond to the notification, a call can then be sent to a preset contact. Students or employees who may be walking alone, or at night, can use Friend Walk to allow friends and family to remotely monitor their location data until they reach their destination.
Perry said he and his team hope to expand on the services offered by the app.
“We can add any office that’s prominent and frequently used by our students to make those resources available,” Perry said. “I’m sure within the next week, we’re going to have different icons listed for general orders, a lost and found database. We’re gonna link students and employees to important data through the North Carolina State Bureau of Investigation and traffic stop data. We’re gonna create a registry where students can engrave and keep up with their personal property.”
Perry said the app would serve as an additional resource for students and would not replace physical blue lights around campus or Alert Carolina.
At other universities
At the University of Florida, the GatorSAFE app — also developed on the AppArmor platform — was released in 2016. It offers similar features, such as the Mobile BlueLight system.
Enasha Shah, a student at UF, said in a message to The Daily Tar Heel that she finds the app’s personalized safety features the most useful and appreciates the extra security it offers to students.
“As a college student, I’ve had my fair shares of staying at the library too late or waiting for an Uber after a night out,” she said. “At times like these, I always felt a little uneasy — especially if I was alone and it was dark. Knowing now that there’s an application available for students that allows them to look after their friends is super comforting and I hope people put it to good use, because I am very confident that it could save lives and prevent traumatic experiences.”
However, for some UNC community members, the security of the app and student information raises red flags.
Preeyanka Rao, undergraduate student body vice president, voiced her concerns at the July 30 meeting of the Commission on Campus Equality and Student Equity.
She said her friends had run an audit of the app, revealing security issues that could potentially leave users open to hackers.
The DTH performed a static analysis on the Android version of the Carolina Ready Safety App using Mobile Security Framework, an open-source security analysis framework. The Carolina Ready Safety App received an overall security score of 10 out of 100, with an average common vulnerability scoring system score of 6.1, putting it at medium vulnerability. CVSS measures the software vulnerabilities of applications.
One of the major issues that MobSF identified was that the app enables cleartext network traffic, which means that data may be transmitted in a cleartext format. Cleartext means that the data travels unencrypted. Thus, adversaries can intercept or alter the data.
Regarding potential security vulnerabilities, Perry said AppArmor is a "secure platform. It’s a reliable company that has a very strong reputation.”
He also emphasized that, to his knowledge, no safety breaches or violations of student or employee data have been reported on AppArmor apps.
UNC ITS also stated that AppArmor runs Qualys scans on the app — Qualys is an information security software company — and that Apple and Google required the app to undergo security testing before making it available in their respective app stores.
Some students also worry about user privacy. UNC Police has faced criticism in the past for its use of geo-fencing to monitor the social media posts of Silent Sam protesters for specific words and phrases.
But UNC Police will not have access to user location data except in specific cases, Perry said, such as when the user explicitly provides the data to UNC Police in the case of Friend Walk or WorkAlone.
“You're going to provide us that access so we can check on you, and have your GPS location during that time frame only,” Perry said. “Aside from that, we can't reverse call you, we can't look you up. There's no way for us to use our data and we would not want to retain it.”
UNC ITS stated that the University can see the locations where Friend Walk is being used, but not any associated user information.
Perry emphasized that in any other situation, UNC Police would have to obtain a subpoena to access student location records. UNC ITS stated that student data is hosted on AppArmor servers, not within UNC's systems.
Overall, Perry said, he hopes this app will prove useful for the UNC community.
“It’s a toolkit, right in the palm of your hand,” he said. “With the Carolina Ready app, you have access to resources and can make your own connections, or find data, or watch videos on how to secure your bike or how to stay safe.”
To get the day's news and headlines in your inbox each morning, sign up for our email newsletters.