KARACHI: The federal government’s Covid-19 Gov PK cell utility got here underneath criticism for safety flaws on Tuesday by a French safety researcher.
Baptiste Robert, a French safety researcher who specialises in smartphone apps that abuse consumer information, reported a number of privateness gaffes within the utility developed by the Nationwide IT Board (NITB).
The Android app requests customers to permit it to entry their cell location information to indicate Covid-19 affected person inside a radius of 30 to 300 metres. It additionally permits sufferers to mark their location on the app to assist others establish if there’s a optimistic case of their locality.
‘Worst security practice’
In a sequence of tweets, Robert — who tweets underneath the pseudonym Elliot Alderson — mentioned the “radius alert” app was being managed with out correct safety bearings utilizing hardcoded passwords.
Password hardcoding refers back to the apply of embedding plain textual content (non-encrypted) passwords within the supply code.
Nationwide IT board getting ready app’s audit report
“To display the pins on the map, the app is downloading the exact longitude and latitude of sick people,” he mentioned, including that the safety flaw meant any hacker might discover the areas of the recognized sufferers in Pakistan.
He additional tweeted that requests being despatched to the server on the app have been insecure (requests made with http). In consequence, any potential attacker would be capable of entry any username and password getting used to entry the server.
“By keeping hardcoded credentials, use http or disclose personal data of infected people, the “COVID-19 Gov PK” cell app is a compilation of the worst safety practices in cell improvement,” Mr Robert advised Daybreak.
So far, over 500,000 folks have downloaded the app.
Govt rejects claims
Responding to the allegations, NITB CEO Shabahat Ali Shah in a press release on Twitter mentioned: “The app does not show the exact coordinates of the infected people, instead it shows a radius parameter that is fixed by default at 10m for self-declared patients and 300m at a quarantine location.”
The self-declared sufferers have given their consent to disclose their coordinates for the security of different residents, he added. “Moreover, they have accepted our app privacy policy/terms and conditions.”
The app’s transient privateness coverage reads that the app “helps in gathering requisite information to identify an infected individual for the provision of necessary health services and related guidance, adhering to social, moral, ethical values, and privacy”.
Referring to Robert’s screenshot displaying use of hardcoded password, he mentioned the hardcoded password was the outlined “keyword” to present extra safety to auth-token endpoint in order that it might be solely used from cell apps. “All our APIs communicate using HTTPS. Hence, security and protection of data and users as per international standards is of prime importance and implemented at the core,” he concluded.
The NITB CEO mentioned there was all the time room for enchancment and any important evaluation could be appreciated. He mentioned the NITB was getting ready a safety audit report of the app.
Consultants unconvinced
An impartial cell app safety check on net safety web site ImmuniWeb revealed that the app contained probably delicate hardcoded information. The app additionally makes use of an unencrypted database that may be accessed by an attacker with bodily entry to the cell gadget or a malicious utility with root entry to the gadget. The app shouldn’t retailer delicate data in clear textual content.
“Whereas the intent behind the app is noble — to help save lives of people affected by Covid-19 and also those at risk — testing of the app shows that it’s security and privacy protocols are not up to the mark,” Bolo Bhi director Usama Khilji advised Daybreak after scanning the app.
“The server appears to use a username and password for authentication [for access], and these values are hardcoded in all copies of the Android application. This makes it easy for anyone to inspect these values in the application,” mentioned Amin Shah Gilani, former interim chief know-how officer of Patari.
The Digital Rights Basis has demanded that the federal government disclose its information sharing coverage intimately.
Revealed in Daybreak, June 11th, 2020
