Dozens of COVID passport apps put user’s privacy at risk

Roughly two-thirds of test digital vaccination applications commonly used today as safe passes and travel passports exhibit behavior that may put users’ privacy at risk.

The risks are substantial as these apps are required for large populations worldwide, allowing hackers an extensive target base.

Digital passports

Digital passport apps store proof of a person’s COVID-19 vaccination status, full name, ID number, date of birth, and other personally identifiable information (PII) encoded in a QR code or displayed directly in the app.

The users can then show this QR code or proof of vaccination when needed to enter areas considered high risk for viral transmission, required for travel, etc.

The issuers of these apps are typically the health and IT departments of governments, while the developers are often contracted experts in mobile software development.

Symantec’s team looked into 40 digital vaccine passport apps and ten validation (scanner) applications and found that 27 suffer from some of the following privacy and security risks.

The first type of problem highlighted in the Symantec report is that many of these tools generate QR codes that are not encrypted but merely encoded.

Encoding is a term used to denote data conversion, in this case, health data, to a digital format that is easy to scan and process.

On the other hand, encryption transforms data into a non-readable form using cryptographic algorithms. In this case, only authorized entities hold the key to decipher the data and read it.

By relying on encoding and not encryption, anyone using a QR scanner app on a checkpoint may decode scanned data and infer sensitive personal details.

Another prevalent issue discovered by Symantec’s team concerns the on-demand transmission of the health data from cloud-storage services, not requiring an HTTPS connection in 38% of the cases, and thus making the users vulnerable to man-in-the-middle attacks.

A third problem concerns external storage access permissions on Android, which is a risky approval because it gives the app unconditional access to the device’s local files. This was an issue in 17 of the 40 apps or 43% of the total.

Other security risks include hard-coded cloud service credentials and the absence of SSL CA validation, again putting the user’s sensitive data at risk.

How to minimize the risks

If you’re obliged to use a digital vaccination passport app, avoid third-party wallets from obscure vendors and prefer those from firms that vet them more vigorously, like Apple Health and Google Wallet.

During installation, pay attention to the requested permissions and avoid granting those that appear risky or aren’t directly relevant to the application’s core functionality. If the app is legitimate, it should continue to serve its purpose even with partial permissions.

Source: https://www.bleepingcomputer.com/news/security/dozens-of-covid-passport-apps-put-users-privacy-at-risk/