App Assay Report: Bluezone - Electronic mask

App Assay,


Status: draft

Recommendation: Before you download Bluezone, carefully consider the risks identified below. Depending on your personal situation, you may decide that the risks of running the August 2020 Bluezone version, or any earlier version, may outweigh the potential benefits.

About this App

Bluezone is the official Vietnamese COVID-19 contact tracing App, sponsored by the government of Vietnam and developed and operated by Vietnamese software company BKAV.

It is a smartphone App with a cloud component. So far, it has been downloaded more than 10 million times. Its use is heavily promoted by the Vietnamese government.

About this report

App Assay first analyzed Bluezone during May 2020. We then updated the assay in August 2020 as a new Bluezone version incorporated significant changes.

As for other COVID-19 Apps, when assaying Bluezone, we are primarily interested in answering the following questions:

  • How effective is the App against COVID-19? Can its effectiveness be quantified?

  • Are there downsides, or risks, of using the App, and if so, what are they? Can they be quantified? Are there particular population groups of App Users that may be more at risk than others?

  • Does the App, based on what we know about its current implementation status and usage, have unique opportunities to enlarge its impact on the pandemic or further reduce downsides or risks? What recommendations can we make to the App Creators in the context of current world-wide best practices?

This report summarizes our results. More details are available on our website at

Key findings

Key components of Bluezone were rewritten between our first assay in May 2020 and the update in August 2020. We note that many of the serious concerns that we had raised in our first assay on both effectiveness against the disease and risks for users were substantially reduced through the August 2020 update. However, significant additional concerns have emerged in the meantime.

  • The August 2020 version of the App now appears similarly effective in automated, BLE-based Contact tracing, as many other Apps developed for the same purpose around the world.

  • Bluezone now changes contact every 15 minutes, and thus in this respect is protecting user privacy comparable to world-wide best practices.

  • The Bluezone App Creators state that they have published the source code of the App to increase transparency. However, technical analysis of the actual App downloaded from the Google Play Store shows that the App contains significant amounts of code that have not been published. The documentation provides no indication that such a discrepancy may exist.

  • Part of the unpublished code base is functionality that allows the App Operator (BKAV) to download, at any time, the full contact history and the cryptographic root seed from any Bluezone user. This download is implemented to be completely silent: it requires no approval by the App User, nor is the App User notified in any way. This functionality is in conflict with the public statements of the App Creators that “The app stores data on your own device, not on centralized servers”.

  • No significant information is available on day-to-day operation of the App, and how App Operators and their sponsors in the Vietnamese government ensure that this privacy-busting functionality is never invoked. It is our view that if it is not intended to be invoked, it should not exist. And if it is intended to be invoked, this needs to be transparently communicated to all users.


For this assay, we evaluated a broad range of sources, including:

  • Publicly available documentation and marketing collateral about Bluezone, published by Bluezone’s creators

  • Analysis by third parties and available on the web

  • Our own analysis of the components of the Bluezone source code that the app developers posted to Github.

More information

For more information, please consult our full assay at