Govt’s Covid-19 app sparks furore over security flaws

Published June 11, 2020
National IT board preparing app’s audit report. — AFP/File
National IT board preparing app’s audit report. — AFP/File

KARACHI: The government’s Covid-19 Gov PK mobile application came under criticism for security flaws on Tuesday by a French security researcher.

Baptiste Robert, a French security researcher who specialises in smartphone apps that abuse user data, reported several privacy gaffes in the application developed by the National IT Board (NITB).

The Android app requests users to allow it to access their mobile location data to show Covid-19 patient within a radius of 30 to 300 metres. It also allows patients to mark their location on the app to help others identify if there is a positive case in their locality.

‘Worst security practice’

In a series of tweets, Robert — who tweets under the pseudonym Elliot Alderson — said the “radius alert” app was being managed without proper security bearings using hardcoded passwords.

Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords in the source code.

National IT board preparing app’s audit report

“To display the pins on the map, the app is downloading the exact longitude and latitude of sick people,” he said, adding that the security flaw meant any hacker could find the locations of the identified patients in Pakistan.

He further tweeted that requests being sent to the server on the app were insecure (requests made with http). As a result, any potential attacker would be able to access any username and password being used to access the server.

“By keeping hardcoded credentials, use http or disclose personal data of infected people, the “COVID-19 Gov PK” mobile app is a compilation of the worst security practices in mobile development,” Mr Robert told Dawn.

To date, over 500,000 people have downloaded the app.

Govt rejects claims

Responding to the allegations, NITB CEO Shabahat Ali Shah in a statement on Twitter said: “The app does not show the exact coordinates of the infected people, instead it shows a radius parameter that is fixed by def­ault at 10m for self-declared pati­e­nts and 300m at a quarantine location.”

The self-declared patients have given their consent to reveal their coordinates for the safety of other citizens, he added. “Moreover, they have accepted our app privacy policy/terms and conditions.”

The app’s brief privacy policy reads that the app “helps in gathering requisite information to identify an infected individual for the provision of necessary health services and related guidance, adhering to social, moral, ethical values, and privacy”.

Referring to Robert’s screenshot showing use of hardcoded password, he said the hardcoded password was the defined “keyword” to give more security to auth-token endpoint so that it could be only used from mobile apps. “All our APIs communicate using HTTPS. Hence, security and protection of data and users as per international standards is of prime importance and implemented at the core,” he concluded.

The NITB CEO said there was always room for improvement and any critical analysis would be appreciated. He said the NITB was preparing a security audit report of the app.

Experts unconvinced

An independent mobile app security test on web security website ImmuniWeb revealed that the app contained potentially sensitive hardcoded data. The app also uses an unencrypted database that can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The app should not store sensitive information in clear text.

“Whereas the intent behind the app is noble — to help save lives of people affected by Covid-19 and also those at risk — testing of the app shows that it’s security and privacy protocols are not up to the mark,” Bolo Bhi director Usama Khilji told Dawn after scanning the app.

“The server appears to use a username and password for authentication [for access], and these values are hardcoded in all copies of the Android application. This makes it easy for anyone to inspect these values in the application,” said Amin Shah Gilani, former interim chief technology officer of Patari.

The Digital Rights Foundation has demanded that the government disclose its data sharing policy in detail.

Published in Dawn, June 11th, 2020



Dark days
Updated 26 May, 2022

Dark days

The PTI, on its part, does not seem to have been prepared to face such a large deployment of state machinery.
26 May, 2022

No room for dissent

WHILE political turmoil roils the land, a number of incidents over the past few days have demonstrated that though...
26 May, 2022

Harassing passengers

REPORTS of the confiscation of personal items from passengers’ private luggage by customs officials at Karachi’s...
Back to bedlam
Updated 25 May, 2022

Back to bedlam

FEAR tactics have never worked in the past, and most likely will not this time either. The government’s ...
25 May, 2022

Balochistan blaze

THE forest fire on the Koh-i-Sulaiman range in Balochistan’s Shirani area is among a series of blazes to have...
25 May, 2022

Unequal citizens

INDIFFERENCE would have been bad enough, but the state’s attitude towards non-Muslims falls squarely in the...