Apple iOS 13.5 and COVID-19

Richard MallionApple, iOS


Apple has just released a beta of their forthcoming iOS 13.5. This version brings a few new features and capabilities specific to the current COVID-19 epidemic.

These features include:

  • Easier unlock while wearing a mask
  • A new Exposure Notification API

Easier unlock while wearing a mask

It is becoming more commonplace for people to wear some sort of face mask or covering, not only healthcare workers but also members of the public. In some countries it is now compulsory to wear them if you leave your house. 

As a consequence, this is causing issues with Face ID as the face cannot be recognised due to the mask.

At present, if Face ID fails to recognise your face, it takes a few seconds before the passcode prompt is shown. This can get annoying.

With iOS 13.5, the passcode prompt is now immediate. A small tweak but a welcome one.

Exposure Notification API

In a rare move of cooperation, Apple and Google have developed a new system for tracking the spread of COVID-19. These new APIs will be available for both Apple’s iOS platform and Google’s Android platform.

It will help public health authorities develop apps that will anonymously track the spread of COVID-19.

This new API will allow users to opt in or out at will. On iOS, Apple has added a new option under Settings to give the user full control over this.

Once enabled, it will use Bluetooth to track potential exposure to COVID-19, as confirmed by public health organisations. The phone will record instances of when it has been in contact with other users’ phones for an extended period of time. If a person is then diagnosed with COVID-19, the public health organisations can inform other people who may have been in contact with the infected person. 

Location information and personal information is not shared or collected. It is completely anonymous.

Exposure Notification API – An overview

Once the APIs are released, users can download an official app from a recognised public health organisation. 

The Exposure Notification API will use Bluetooth to try and locate nearby Bluetooth phones that have also opted into this service. The API will check signal strength to try and estimate the distance between the two phones. If the phones are close enough, currently approximately six feet, then both devices would log contact.

The API will collect data from the past two weeks. This data is anonymous but will be sent to the public health organisation relevant to the app you are using.

If a user learns they have been infected, they can grant permission for this data to be shared. To stop fake infections from being registered, the health organisation will need to verify the user is indeed infected. Anyone who has been in contact with the infected person over the last two weeks will be informed of potential exposure. They will not be told who the infected person is, just that they were potentially exposed. 

Exposure Notification API – How does it work?

Here is a bit more detail on how the proposed API will work.

On a daily basis, each phone will generate a unique private key called the ‘temporary exposure key’.

This key is used to generate random identification numbers which are called ‘Rolling Proximity Identifiers’ (RPIDs). 

The device will use Bluetooth to ping the device’s current RPID out to any nearby devices, at least once every five minutes. The device will also generate new RPIDs every ten to 20 minutes for security.

Each device will record all temporary exposure keys it has generated, and log all the RPIDs it has come into contact with from other devices over the past two weeks.

If a user learns they have been infected, they can grant the public health organisation permission to publicly share their temporary exposure keys from the last two weeks. As mentioned, the health organisation needs to verify the user is actually infected before the keys are shared. 

Once shared, the keys are known as ‘Diagnosis Keys’. These keys are stored in a public registry and will be available to everyone who uses the app.

Each diagnosis key contains all the information needed to regenerate the RPIDs associated with that user. So, the app can use this public registry to compare the RPIDs a user has been in contact with against the confirmed list of people infected with COVID-19. If a match is found, the user gets a notification of the potential risk.

Phase one and two

This new service will be rolled out over two phases.

Phase one:

Apple and Google will develop the new API for their respective platforms. This will require other authorised developers to build apps that utilise these APIs.

Phase two:

Apple and Google will build tools, so users will not need to use a third party app. This will help with adoption.

With both phases, the user still has to opt in.


This is a great example of technology being used in the health arena.

It is by no means a perfect system but it does allow for some form of contact tracing.

There are obstacles in its adoption.

All users have to opt in, which is great for security and privacy but may limit adoption.

Not everyone has a smart phone capable of running the required version of the OS that supports this API.

Phones may also be turned off, out of battery or have Bluetooth disabled.

It will also be interesting to see how well Bluetooth works in this scenario, and how well the APIs work in terms of what is considered to be a long enough exposure. Even under ideal conditions, the Bluetooth signal may not be strong enough or the phones may not be near each other for the required time, considering it may not check for up to five minutes.   

Also, some countries may choose to use alternative systems. The app currently being developed by the UK government does not use these APIs, they are developing their own solution.

More information

Here are some useful links from Apple and Google providing in depth detail on the service.