The Pandemic App Ecosystem: Investigating 493 Covid-Related iOS Apps across 98 Countries

Jonathan Albright
11 min readOct 28, 2020

--

Global map of developer/seller locations of 493 Covid-related iOS apps

Health and Fitness - Pandemic: The Next App Store Genre?

Since the Coronavirus pandemic began, a host of Covid-19 applications have emerged. In addition to the state-sponsored official “track and trace” and quarantine monitoring apps, hundreds of Covid-related apps offering everything from curated information, clinical care guidelines, and workplace/campus outbreak monitoring have become available for download in the iOS App and Google Play Stores.

Since March, I’ve followed these Covid-related iOS apps closely, compiling an extensive data set representing almost five hundred iOS apps across 98 countries. The data set, containing 493 Covid-related apps to be exact, is derived from the results of iOS app store queries for [Covid] and [Coronavirus] between March 24, 2020 and October 25, 2020.

The app store query results were deduplicated to see if any apps have been deleted/removed (note: so far, I haven’t found this to be the case for any app listed in the iOS store). Most of the apps are new; some, especially in the telemedicine and medical care categories, appear to have been repurposed to include Covid-specific features.

I enriched the apps with extensive metadata, including each application’s requested permissions, the seller/developer location (Country, State, and City), the embedded SDKs (Google Firebase, Google Ads, Facebook Audience Network, Branch, etc.), and coded into several use categories (Screening and Reporting, Information and Updates, Clinical Reference, etc.) based on the app descriptions. Where there was any doubt, I gathered news coverage and press releases.

As with my past efforts, I hope this comprehensive data-first view, including my first research output, an extensive Tableau data visualization package, acts as a resource for journalists, teachers, students, aid organizations, and citizens in every country. I also hope this data offers public authorities, tech leads, and policymakers another way to understand the massive reach, design, and societal impact of the new era of “pandemic apps.”

Example of the collected Covid iOS data — App permissions breakdown by app, developer, and country

The data—the result of months of work and data complication—can be interactively explored and filtered in almost any browser via the Tableau visualization: https://public.tableau.com/profile/d1gi#!/vizhome/CViOS_493/iOSSDKsbyAppandCountry

Make sure to view all the visualizations using the tabs directly above the active chart view. I also recommend using the filters I’ve added on the right of each visualization to reduce the amount of information overload and to answer specific queries. The underlying dataset should be available as a downloadable .csv soon—I’ll update this post and link it here.

I’ve collected, analyzed, and re-compiled a vast cross-section of metadata and supplemental data for 493 apps here, offering what I believe is easily the most comprehensive “Covid-related” iOS app marketplace snapshot to date, including:

  • Seller City (based on developer business listing lookups)
  • Seller State/Province (based on developer business listing lookups)
  • Seller Country (based on developer business listing lookups

To put it another way, I looked up every app multiple times—recording the city, the state/province (when available), and country for each one of the iOS developers (“artists/sellers”). I also used a variety of leading paid and unpaid tools, and in a few cases went so far as to download the source code myself and recompile the app in Apple’s Xcode to verify the device permissions requested by iOS applications (see “Safer Illinois” example below). I did the same to locate all the known SDKs embedded within the app’s source code.

The “Safer Illinois” app permissions in Xcode

For the SDK breakdowns in the data visualizations, I was primarily concerned with the analytics, app performance, and tracking-related SDKs included in the iOS application build. As you touch and/or hover over specific data points, all of the SDKs, and additional fields such as the app description, version, release date, app store URL, and genre will appear.

CoVerified iOS Covid Campus monitoring app expanded details example (upon icon hover)

The permissions and SDKs for some apps simply could not be obtained through any method other than actually downloading and installing them on a device through a foreign iOS app store and local currency. I didn’t want to do this, nor did I have the time to try it, but this dataset contains all of the permissions and SDKs for the vast majority of apps.

Furthermore, I researched, coded and added to this dataset:

  • Primary Use categories (i.e., Screening and Reporting, Information and Updates, Care Provision, Workplace Monitoring)
  • Secondary Use categories (i.e., Alert System, First Responder, Research)
  • Associated Entity Types (i.e., Public Health Agency, Hospital/Clinic, University, For-Profits aka Med-Tech Data Companies)
  • Utilizes Apple and Google Exposure Notification API (Yes/No)
  • HIPAA compliance (when available)

And then there’s the more common metadata, such as:

  • App Name
  • Seller Name
  • App ID (i.e., the app’s unique store ID)
  • Seller ID (i.e., listed developer’s App Store ID)
  • Release Date (the date the app was first available on App Store)
  • Seller Description
  • App Store URL
  • Seller URL (where available)
  • Artist Store URL
  • Price
  • Bundle ID
  • App Store Genre
  • App Store Genre ID
  • App Store Primary Genre Name
  • App Store Primary Genre ID
  • App Version (version on date last checked)
  • Release Notes
  • Content Advisory Rating
  • Language Codes (ISO2A)
  • File Size (in Bytes)
  • Average User Rating (All versions)
  • User Rating Count (All versions)

Looking at Covid App Data Across 98 Countries

With the sharp rise in Covid cases in the Northern Hemisphere this month, I believe this data is important to share immediately, so I’m publishing it. I am still in the process of writing up my results, so I plan to follow up with more acute observations about these 493 applications, approximately half of which fall into the “Screening and Reporting” category and therefore involve personal health data, location tracking and tracking, and symptom reporting.

My intention in releasing this data now is to:

  1. Show the pervasive data collection facilitated through requested device permissions. This is especially true for non-reporting Covid-related “information and update” apps that seek access to the device camera, the user’s photo and media libraries, contact lists, and the device’s precise GPS location);
  2. Show the reach of known application SDKs included in the source code of these apps—aka drag-and drop tech code associated with sophisticated tracking, analytics, and performance reporting; and
  3. Show the global, regional, and country-specific emergence of the Covid-related iOS apps, including by app store genre and the release date.

I’ve extensively coded and set all of the iOS permissions and SDKS into color-coded filterable matrices, even including iOS-like icons for permissions like camera access and location sharing for visual clarity. This entire set of 493 apps can be interactively drilled down and filtered in most of the data viz tabs—meaning that despite the large amount of information, the dataset can be easily explored by county, primary use category, developer location, AND specific permissions and/or SDK combinations (e.g., “location — always,” “Bluetooth — always,” “Photo Library,” and “Facebook SDKs”)

For instance, I have filtered various combinations of use categories to look at the screening and self-reporting iOS apps that only have embedded tracking SDKs like Google Ads, Facebook Audience Network, Branch, Urban Airship, and Open Signal installed. I’ve also looked up every known application that uses the Apple/Google Exposure Notification API and added this as a field in the app permission matrix visualization tab. There are 42 iOS apps that currently utilize the Exposure API.

I’ll save the rest for later, but this is a deep-dive kind of dataset that took months to build because of the extensive app permissions, the SDKs, the use category coding, and the developer/seller business and location lookups. Feel free to use this data as you wish; my only request is that you formally cite it in your future work, class assignments, and kindly reference/link to this post if any further insights and/or derivative work is published

I will relay a few key observations below. (Note: all of these images are directly from my interactive data visualizations)

The number of countries with Covid tracking/tracking/quarantine monitoring apps: 98

Global map of Covid-related iOS apps by country total

SDKs: Google, Google, and Fabric (Google)

Covid-related iOS SDK topline

Out of the 493 iOS apps that have appeared from Covid and/or Coronavirus searches since March 2020, half contain at least one Google SDK. This distribution does not appear to vary much by use category (e.g., Screening and Reporting), but here is what the SDK summary looks like for all of the apps in my database.

Covid-related iOS SDK breakdown — details callout example

Permissions: Location, Location, Location

Covid-related iOS app permissions topline

For iOS permissions, “Location — Always (and When in Use),” Camera, and Photo Library were the top requests across the 493 Covid-related apps.

Of course, the nature of the permissions requested by the application and the SDKs clearly vary by use category (I’ve included the chart below in my Covid-related app visualization workbook).

Impressions (After Looking at 493 Pandemic Apps for Seven Months)

Local, state, and regional authorities have responded with a flurry of official apps to connect their residents and visitors with resources—and to ensure updates and guidelines about the pandemic are timely and accurate.

In most cases, the apps serve two critical functions: first, as tools for screening and self-reporting symptoms, and second, as a means for real-time distributed case monitoring and alerts.

What this data also shows is that universities in the United States quickly have launched their own Covid-tracking and reporting apps in response to the pandemic. These apps were sometimes the result of partnerships between public health and computer science departments, and other times the apps appear to have been the work of a group of affiliated but largely independent faculty members.

Saint Louis University’s iOS Covid app’s defunct privacy and data collection Policy

And then there’s the Safer Illinois”app supporting an entire university’s building access, student screening/reporting, and local Covid testing efforts.

Apple User ID leak patch example — “Safer Illinois” Covid monitoring app

Yet again, this time due to the prolonged and global nature of the pandemic, public health authorities and policymakers have been launched headfirst into new ethical dilemmas involving outbreak control through mass tracking and data monitoring.

CampusClear — a widely used school monitoring app by an employee productivity predictive analytics firm

I simply do not remember a time when global public communication channels have been so codified and platformitized. By this, I mean that 2020 marks the stage—quite literally—when hundreds of public health agencies and government communication channels simultaneously collapsed their efforts into exactly two tightly controlled commercial marketplaces: Apple’s iOS and Google’s Play stores.

Not to mention the code infrastructure (SDKs) for at least half of these iOS apps has been built by one of the companies (Google). And of course the Bluetooth exposure notification system that governments around the world us—98 of them so far—has been conceived, built, and distributed by the same two companies.

As far as the internet’s utility during times of crisis is concerned, we’ve been here before, sort of: 9/11 marked the dawn of the public adopting tools—namely Google‘s search engine—to bypass media and information gatekeepers. When citizens sought news around the height of the 9/11 disaster events, they turned to a novel, relatively unfamiliar tool in their quest to locate details, verify the accuracy of claims made by others, and interpret the implications of the tragedy at hand.

2020, however, is an entirely different beast. For one, I’d argue it marks the return of the centralized gatekeeping that 9/11 abolished.

Australia’s “Check in CBR” iOS SDK and Permissions list

What’s most important is the manner in which this gatekeeping has been re-established. It’s embedded in the very fabric of the devices, the code supporting the apps that run on the devices, the applications that run on them, the marketplaces that are used to distribute them, and the infrastructures used by governments to track, monitor and trace the pandemic.

The story above was written in May 2020. Given the permissions I found, I doubt the states much to worry about.

Whereas 9/11 and 2020 represent events that galvanized the utility of the decentralized internet and the power of digital communication tools, the 2020 pandemic seems to have pulled the balance of power decidedly back to centralized institutions—not governments, but two multinational American technology companies.

People have long utilized programming in creative ways—including developing apps such as SETI and crowdsourcing accelerometers in laptops and mobile devices to act as earthquake sensors—and obtain real-time information during crisis events. This time around, however, at least 98 countries to date have harnessed commercial platforms to obtain critical real-time information about their citizens’ health status.

But they can do this only because the companies have built the ecosystem, infrastructure, marketplace — and of course, allow/approve their app — in the first place.

Example of Google Maps SDK and Exposure Plugin integration in iOS app code

The flow of information from citizens to centralized institutions and authorities now occurs exclusively through the infrastructures built by two American multinational technology conglomerates. That’s right: two companies. This really isn’t meant to be a diatribe about Apple and Google, though. Both have made contributions to society in ways that will still have yet to understand.

Rather, I want to suggest that this data helps to show that Covid-19 marks a global shift in the way local, regional, and national authorities distribute and collect data about their citizens during large-scale crises. And we have no idea when the policies will be changed—and they will—to facilitate other uses.

Apps in the time of the Coronavirus: it’s the reciprocal nature of the information flows that matter. As guidelines evolve and updates about Covid-19 are distributed to citizens, residents, tourists, and medical providers, information about those same individuals simultaneously flows back to public institutions, public agencies, regional authorities, and private research through exactly two tech platforms. And this time around, it’s even been codified into a global public health API.

--

--

Jonathan Albright
Jonathan Albright

Written by Jonathan Albright

Professor/researcher. Award-nominated data journalist. Media, data, & tech frmly #columbiajournalism #towcenter #berkmanklein #elonuniversity