Dozens of COVID Passport Apps Put User’s Privacy at Risk
The users can then show this QR code or proof of vaccination when needed to enter areas considered high risk for viral transmission, required for travel, etc.
The issuers of these apps are typically the health and IT departments of governments, while the developers are often contracted experts in mobile software development.
Symantec’s team looked into 40 digital vaccine passport apps and ten validation (scanner) applications and found that 27 suffer from some of the following privacy and security risks.
Also Read: The 5 Phases of Penetration Testing You Should Know
The first type of problem highlighted in the Symantec report is that many of these tools generate QR codes that are not encrypted but merely encoded.
Encoding is a term used to denote data conversion, in this case, health data, to a digital format that is easy to scan and process.
On the other hand, encryption transforms data into a non-readable form using cryptographic algorithms. In this case, only authorized entities hold the key to decipher the data and read it.
By relying on encoding and not encryption, anyone using a QR scanner app on a checkpoint may decode scanned data and infer sensitive personal details.
Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches
Another prevalent issue discovered by Symantec’s team concerns the on-demand transmission of the health data from cloud-storage services, not requiring an HTTPS connection in 38% of the cases, and thus making the users vulnerable to man-in-the-middle attacks.
A third problem concerns external storage access permissions on Android, which is a risky approval because it gives the app unconditional access to the device’s local files. This was an issue in 17 of the 40 apps or 43% of the total.
Other security risks include hard-coded cloud service credentials and the absence of SSL CA validation, again putting the user’s sensitive data at risk.
How to minimize the risks
If you’re obliged to use a digital vaccination passport app, avoid third-party wallets from obscure vendors and prefer those from firms that vet them more vigorously, like Apple Health and Google Wallet.
During installation, pay attention to the requested permissions and avoid granting those that appear risky or aren’t directly relevant to the application’s core functionality. If the app is legitimate, it should continue to serve its purpose even with partial permissions.