Govt’s Covid-19 app sparks furore over security flaws

Published June 11, 2020
National IT board preparing app’s audit report. — AFP/File
National IT board preparing app’s audit report. — AFP/File

KARACHI: The government’s Covid-19 Gov PK mobile application came under criticism for security flaws on Tuesday by a French security researcher.

Baptiste Robert, a French security researcher who specialises in smartphone apps that abuse user data, reported several privacy gaffes in the application developed by the National IT Board (NITB).

The Android app requests users to allow it to access their mobile location data to show Covid-19 patient within a radius of 30 to 300 metres. It also allows patients to mark their location on the app to help others identify if there is a positive case in their locality.

‘Worst security practice’

In a series of tweets, Robert — who tweets under the pseudonym Elliot Alderson — said the “radius alert” app was being managed without proper security bearings using hardcoded passwords.

Password hardcoding refers to the practice of embedding plain text (non-encrypted) passwords in the source code.

National IT board preparing app’s audit report

“To display the pins on the map, the app is downloading the exact longitude and latitude of sick people,” he said, adding that the security flaw meant any hacker could find the locations of the identified patients in Pakistan.

He further tweeted that requests being sent to the server on the app were insecure (requests made with http). As a result, any potential attacker would be able to access any username and password being used to access the server.

“By keeping hardcoded credentials, use http or disclose personal data of infected people, the “COVID-19 Gov PK” mobile app is a compilation of the worst security practices in mobile development,” Mr Robert told Dawn.

To date, over 500,000 people have downloaded the app.

Govt rejects claims

Responding to the allegations, NITB CEO Shabahat Ali Shah in a statement on Twitter said: “The app does not show the exact coordinates of the infected people, instead it shows a radius parameter that is fixed by def­ault at 10m for self-declared pati­e­nts and 300m at a quarantine location.”

The self-declared patients have given their consent to reveal their coordinates for the safety of other citizens, he added. “Moreover, they have accepted our app privacy policy/terms and conditions.”

The app’s brief privacy policy reads that the app “helps in gathering requisite information to identify an infected individual for the provision of necessary health services and related guidance, adhering to social, moral, ethical values, and privacy”.

Referring to Robert’s screenshot showing use of hardcoded password, he said the hardcoded password was the defined “keyword” to give more security to auth-token endpoint so that it could be only used from mobile apps. “All our APIs communicate using HTTPS. Hence, security and protection of data and users as per international standards is of prime importance and implemented at the core,” he concluded.

The NITB CEO said there was always room for improvement and any critical analysis would be appreciated. He said the NITB was preparing a security audit report of the app.

Experts unconvinced

An independent mobile app security test on web security website ImmuniWeb revealed that the app contained potentially sensitive hardcoded data. The app also uses an unencrypted database that can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device. The app should not store sensitive information in clear text.

“Whereas the intent behind the app is noble — to help save lives of people affected by Covid-19 and also those at risk — testing of the app shows that it’s security and privacy protocols are not up to the mark,” Bolo Bhi director Usama Khilji told Dawn after scanning the app.

“The server appears to use a username and password for authentication [for access], and these values are hardcoded in all copies of the Android application. This makes it easy for anyone to inspect these values in the application,” said Amin Shah Gilani, former interim chief technology officer of Patari.

The Digital Rights Foundation has demanded that the government disclose its data sharing policy in detail.

Published in Dawn, June 11th, 2020

Opinion

Lull before the storm
Updated 24 Oct 2021

Lull before the storm

It does not take rocket science to figure out why each of the two sides is taking the stand it is.
The larger debate
Updated 23 Oct 2021

The larger debate

The revelations show how the economy promotes inequality.

Editorial

Anti-government rallies
Updated 24 Oct 2021

Anti-government rallies

Banning a party because it can create a public nuisance sets a dangerous precedent which can be repeated to justify future bans.
24 Oct 2021

End of polio?

AFTER a long struggle, the reward is finally in sight. With only a single case of wild poliovirus reported this year...
24 Oct 2021

Heritage work

IT is encouraging that, slowly, projects of heritage conservation and preservation appear to be taking off. These...
A final push
Updated 23 Oct 2021

A final push

PAKISTAN’S hopes of exiting the so-called FATF grey list have been shattered once again. The global money...
23 Oct 2021

Kabul visit

FOREIGN MINISTER Shah Mahmood Qureshi’s flying visit to Kabul on Thursday is the first official high-level...
23 Oct 2021

Baqir’s blooper

THE remarks made by State Bank governor Reza Baqir at a London press conference have hit a raw nerve in Pakistan. In...