So I've now had a chance to review the COVIDSafe app source code,
Before I give you my thoughts, I have some caveats:
1. I've analysed what they have provided. Technically there is nothing stopping them from releasing one thing on GITHUB and another thing on the various app stores.
2. They have removed all the code comments, which made this analysis much harder than it should be, so it is possible that I mis-interpreted something.
3. Normally code review is done with the author sitting next to me (or at least on the other end of the microphone / headset)
4. I analysed the Android version, not the Apple version.
5. I don't get to see the code on their AWS server, however based on what I know about the governments use of AWS, I'm not concerned there.
6. If all the below turns out to be wrong, you don't get to sue me.
First things first, this app CAN NOT upload any data without your express permission. The only place where the UploadData is called is are all inside what are known as event handlers (aka you must do an action)
One of the more surprising things, it's pulling a script down which is hosted in Libya (at least according to a WHOIS, Edit: the address is Libyan, but the server is sitting in the USA, no COVIDSafe data is going to this server it's a library call only), which is something I'll bring to their attention, since technically there may be a way to exploit it. However in saying that, I don't think this is enough of a security concern to warrant uninstalling the application, and the technique of using online scripts is pretty common in all the applications that are currently on your phone.
They are using encryption that in my opinion is stronger than at least one of the big 4 banks (yes I just did a scan against one of the big 4, no I'm unlikely to get a knock at the door from men in dark suits tonight).
The personal details that it collects is sent to their central server, it is not shared to other peoples mobile phones.
It does send the mobile phone type via plain text (aka unencrypted), unless you have a one of a kind prototype I don't really see that as a security risk.
It looks like they can change some of the parameters (such as the amount of time between each token getting cycled) remotely, that said it doesn't look like they can change any of the fundamental parts of the application without requiring you to accept an update (aka I don't believe they can't silently change how the application works)
So based on this, if you have not already done so, get the app, if you have, continue using it.
I still maintain that this data is of limited value for any purpose other than contract tracing of COVID, it's not the honeypot that certain media organisations (ABC I'm looking at you, you wrote a really cough article tonight) are trying to scare you about.