Survey: Nearly Half of Americans Refusing or Unlikely to Opt-In to COVID-19 Contact Tracing Apps

The past few months have placed digital transformation into overdrive, with consumers gravitating toward distance-enabling technology and applications more than ever before. While the benefits of these tools are clear in maintaining a sense of normalcy and continuity in our personal and professional lives, malicious actors have shifted their sights to capitalize accordingly. From video conferencing application hacks to the proliferation of coronavirus-related phishing scams, organizations, software developers, and end users alike are on high alert.

Increased application and software usage heighten security concerns amongst consumers

Here’s what we found, along with recommendations that all organizations and software developers should keep in mind moving forward when it comes to AppSec and software security.

In light of these events, in early May 2020, Checkmarx commissioned a survey of U.S. consumers to better understand their perceptions around the security of the software and applications they’re using in their everyday lives. This gave us a timely view into trends in consumer web and mobile app use since COVID-19 became a widespread pandemic, as well as their thoughts and expectations about software security and privacy and the adoption of contact tracing apps.

Consumers are also branching out with their use of new applications. When asked which of the following apps they have used for the first time during the COVID-19 pandemic, 44% said video conferencing (e.g. Zoom, Microsoft Teams), while 25% said food delivery (e.g. Uber Eats and Insta Cart), 23% said e-Commerce (e.g. Amazon, Target), 19% said virtual learning (e.g. Google Classroom), and 16% said finance/banking (e.g. Venmo, Zelle).

As a result of the widespread stay-at-home orders implemented, 44% of respondents are using mobile and web applications more than they did before the pandemic, with another 43% saying they’re doing so at least the same amount. Additionally, 28% are spending over six hours per day using apps, and over half (56%) are spending at least three. These numbers rise amongst younger demographics, with 43% of 18-24 year-olds using apps for over six hours per day, 50% of which say is more frequent than before.

Due to the rapid technological shift brought on by COVID-19 and consumers increasing their use of new technology, software, and applications, the majority of respondents expressed corresponding security concerns. According to the findings, 61% of consumers are extremely, moderately, or somewhat concerned with the security of applications and software, with another 16% saying they’re slightly concerned. Just 23% said they are not concerned at all.

Among individuals surveyed with children aged K-12, when asked which of the following apps their children have used for the first time during the COVID-19 pandemic, one-in-five said video conferencing apps. Additionally, 15% said remote learning apps (e.g. Dreambox, Khan Academy), 9% said music apps (e.g. Spotify,, 8% said online gaming apps (e.g., Xbox live), and another 8% said eBook / audiobook apps (e.g. Audible, Kindle).

When asked which of the following concerns they had when it comes to COVID-19 contact tracing applications, consumers indicated:

As a result of, and falling in-line with respondents’ general security and privacy concerns with the applications they’re using and new ones they’re adopting, nearly half (48%) say they’re either unlikely or will flat out refuse to opt-in to COVID-19 contact tracing apps. Additionally, another 23% said they’re on the fence about doing so. Meanwhile, just 15% said they are extremely likely to opt-in. This brings about questions of contact tracing effectiveness and accuracy if minimal adoption is seen.

With that said, respondents expressed that if certain steps were taken, they would feel more comfortable with using COVID-19 contact tracing apps. When given the following options, consumers indicated that first and foremost they’re seeking the ability to opt-out of data sharing at any time (38%). Additionally, they would like more information about the security measures being implemented (35%) and more transparency about data usage (32%).

  • How their data will be used, stored, or shared (45%)
  • Granting third-party access to the apps (29%)
  • General application hacking concerns (28%)
  • Risk of health records being exposed (27%)
  • Risk of location data being exposed (25%)

Furthermore, 52% of surveyed individuals reported only having Bluetooth turned on on their smartphones 50% of the time or less, with 18% saying they have it enabled less than 25% of the time and another 18% saying they never have it on. Considering many contact tracing applications rely on Bluetooth technology to detect encounters with test positive individuals, this may also inhibit the effectiveness of these applications.

As individuals and organizations look to leverage new digital tools and applications in our current environment and beyond, Checkmarx suggests including the following on your security checklist for staying technologically safe:

Respondents also showed interested in learning more about the software development process behind these apps, with 15% wanting more visibility into this and another 13% seeking more information about the types of code used to power the software.

While they appear to primarily be behind the scenes, software developers are front-and-center of enabling today’s current sprint to digital transformation. From designing and developing contact tracing applications, remote working solutions, e-Commerce software, etc. to patching critical software vulnerabilities, developers have never been more essential.

  • Don’t be fooled into updating software applications from counterfeit websites. When it doubt, open up the applications themselves and update using the instructions within;
  • Use your corporate VPN, in addition to a private VPN, to give yourself a layered security approach;
  • Suspect any domain that does not use .com, .edu, .gov, .org, etc. If it doesn’t appear to be legitimate, it’s almost guaranteed not to be; and
  • Try to separate daily online “fun” activities from critical ones. Don’t log into your bank account, retirement account, etc., while surfing questionable sites within the same browser.

For more tips on staying cyber-secure, read our blog here.

Checkmarx recommends the following application and software security best practices:

Consumers recognize developers’ role in preserving application security and privacy, with nearly half (49%) feeling as though they’re most responsible for this effort. As users continue to adopt new technologies (whether by choice or necessity), security must be a priority for all organizations that develop software and the developers within.

About the Survey
Using Google Consumer Surveys, Checkmarx surveyed approximately 1,500 consumers about their application and software usage habits, as well as their views on contact tracing, in relation to the COVID-19 pandemic. All respondents were located in the United States and over the age of 18. The survey was conducted in May 2020. 

  • Static application security testing (SAST) scans of source code during the code, check-in, and build stages;
  • Software composition analysis (SCA) to identify open source components and vulnerabilities that may have been introduced;
  • Leverage interactive application security testing (IAST) in test and quality assurance environments to eliminate delays in finding vulnerabilities during functional testing;
  • Use a combination of external and internal penetration tests to assess the security posture of applications against real-world cyberattacks;
  • Prioritize transparency when it comes to data collection, usage, and storage by ensuring end-user license agreements (EULA) are clear and concise;
  • Triple check APIs to ensure third-party access is granted securely; the OWASP API Security Top 10 list is a good place to start; and
  • Ensure relevant compliance including with GDPR, HIPAA, CCPA, etc.

Learn more about how Checkmarx can help your organization achieve its software security goals here.