Porous Coronavirus apps by governments put citizen data at risk

News by Rene Millman

People's privacy and data security face risk of attacks from cyber-criminals who tap unsecured official Coronavirus Android apps

The privacy and security of people’s data could be at risk from attack over poor security practices in official Coronavirus Android apps.

Security researchers at Zerofox noted there are several vulnerabilities in apps designed to track infections in the population. In a report, researchers analysed several such apps from governments around the world.

Researchers detailed three apps where security was lacking. An app produced by the Iranian government, and available through an app store called CafeBazaar, was harvesting personal information and tracking citizens instead of giving information on Covid-19.

Worryingly, an impostor application “CoronaApp” was also discovered and available for direct download at `coronaapp[.]ir`. This unofficial download website is linked in multiple news websites, Telegram groups and social network posts.

This is especially harrowing because the application is not on the Google Play store, which provides application vetting processes. Unfortunately, because the country is under sanction and most Iranians cannot access the Google Play store, they are vulnerable to unvetted COVID-19 mobile apps that some malicious developers can use to their advantage,” wrote the researchers.

In Columbia, the CoronApp-Colombia app was aimed at helping people with tracking symptoms related to COVID-19. However, the app contained a number of vulnerabilities that affect the privacy of more than 100,000 users.

The current version of CoronApp-Colombia on Google Play (1.2.9 as of 25 Mar 2020) uses Insecure Communication with the API server throughout the app workflow,” said researchers. A hardcoded value uses HTTP rather than a more secure method like HTTPS, for API server communications.

In Italy, a number of apps aimed at specific regions in the country indicates that hackers have taken advantage of the situation and launched malicious fake apps with backdoors.

A greater number of government-sanctioned applications causes users to be less certain of which Covid-19 mobile apps are legitimate. Threat actors have taken advantage of this confusion, and have released malicious applications, like this backdoored app, to prey on users who may mistakenly download the malicious app,” said researchers.

To prevent this and protect their citizens, it is highly important that governments ensure consistency with where Covid-19 mobile apps are able to be downloaded, and even with their appearance.

Niamh Muldoon, senior director of Trust and Security at OneLogin, told SC Media UK that It is vital that apps like this containing individuals’ most sensitive health data are designed with both security and privacy in mind.

Bear in mind that more rush can also lead to less speed. Rigorous security testing is needed prior to an app like this going into production and being released for public usage. Not designing security and privacy into the app could result in security and privacy holes,” she said.

Fabian Libeau, EMEA VP at RiskIQ, told SC Media UK that security teams need a solution that helps them quickly find, analyse, and mitigate any mobile threats that may impact their official, unofficial, and rogue mobile apps, and take corrective action with app stores from inside the platform.

By discovering apps across hundreds of mobile app stores and monitoring them for malware or compromise, security personnel can maintain a secure mobile presence as well as the trust of their customers and prospect,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews