I'm not impressed with Kieran's article and it's causing a lot of confusion and concern (as many other sites are just copy/pasting the information without checking). I know I'll get downvoted for this but here's some facts to clear up a lot of the wilfull mis-information doing the rounds.
1. No, the app was not developed by Cambridge Analytica or Dominic Cummings or Marc Warner or anyone like that. People who jumped on that bandwagon mis-understood a different NHS contract. The app has been developed by Pivotal (part of VMWare) along with NHSX's in-house team.
2. No you don't need the app running in the foreground. The iOS app uses some clever techniques to allow it to run just enough in the background to be able to continue functioning. The Android app has some nifty code to allow it to parse the iOS bluetooth beacon format to maintain cross-app compatibility
3. The app does not track your location. The Android app only asks for location services because for some insane reason Google decided that Bluetooth permission is tied to Location (e.g you have to ask for the latter in order to get the former). The iOS app does not ask for location permissions and the Android app does not actually use location data.
4. The app appears to be well written and uses good security practice (strong crypto, certificate pinning, UK hosted API endpoints, etc). There have been some false tweets about the crypto not being secure but that's based on a mis-understanding of how APK was decompiled.
Disclaimer - I'm not involved in any way with the app, I'm director of a company which spent a lot of time yesterday pulling the app apart to see how it actually ticks.