EU Exit: ID Document Check app for Android smartphones developed by the UK Home Office is porous, found Norwegian cyber-security company Promon. The app was launched to "quickly and securely confirm your identity, as part of your application to stay in the UK after it leaves the EU," says its profile page in Google Play. It was downloaded more than a million times.
"The Home Office’s Brexit app, used by people to confirm their identity as part of their application to stay in the United Kingdom should it leave the European Union, is at serious risk of malware attack, potentially allowing hackers to steal passport information and facial scans," read the Promon research report.
The app requires users to scan their passports and faces as part of the application process. Researchers did not point out the vulnerability in the app, but concluded that the app is not safe by listing out various flaws.
The Android app lacks functionality that prevents malware from reading and stealing user information including passport details and photo IDs; injecting code while the app is running is relatively easier; it failed to detect an attacker analysing the app at runtime; obfuscation, which can make the job of developing targeted malware more time consuming for an attacker, is not employed.
"From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it," Promon CTO Tom Lysemose Hansen commented in the report.
The researchers only tested the app for security vulnerabilities with Android smartphones, but that does not mean that iPhone users of the same app are safe, noted Israel Barak, chief information security officer at Cybereason.
"Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over and should be reminded again to watch their identities and credit for abuse. As an industry, until we can start making cybercrime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive payouts," he said.
The UK home office told the Financial Times that the resilience of the app against all known and emerging threats is regularly tested and conforms to the norms on performance, security and accessibility.
The UK Home Office's intention to replace a cumbersome paper application with a smartphone app is laudatory, but the implementation has fallen short, observed Jonathan Knudsen, senior security strategist at Synopsys.
The cornerstone of real software engineering is a Secure Development Life Cycle, in which security is a primary consideration at every phase of design and implementation. Coupled with more testing and better testing, the SDLC is a process that helps organisations produce software that is safer, more secure, and more robust, he explained.
"Perhaps a top-to-bottom security-forward reworking of this app would produce both the desired functionality as well as the necessary safety and security for such a sensitive app."