An independent audit of the Hong Kong government’s digital COVID-19 contact-tracing apps found significant security issues with the software, but said the flaws were not necessarily added intentionally to allow unauthorized tracking.
“Leave Home Safe” mobile apps became available for download in November 2020, allowing users to scan a QR code at more than 9,000 locations in Hong Kong, including public and private places, and on ID tags in 18,000 taxis to record their movements.
The apps also notified users if someone confirmed with a contagious respiratory virus had recently visited those places.
7ASecuritya Polish computer network security and testing company, conducted a privacy and security audit of the Leave Home Safe Android and iOS apps in April and May on behalf of an anonymous third party.
His work was funded by the Open Technology Fund (OTC), an American non-profit organization that supports global Internet freedom technologies and, like Radio Free Asia, is part of the United States Agency for Global Media, an independent US government agency that disseminates news. and information in 63 languages.
The parties released the 55-page document report Wednesday.
When the Hong Kong government rolled out the apps, locals worried about the potential security and privacy risks they might introduce. According to a precedent report by FRG.
Less than half a million app downloads have occurred during the first two weeks partly for reasons of confidentiality among the city’s roughly 7.5 million residents, and many have acquired a second mobile device to avoid having sensitive content on the same phone, OTC said in a announcement on its website.
Since November 1, 2021, the Chinese government has made the use of apps mandatory for anyone entering government-run buildings, including courts, swimming pools, public markets, hospitals, shopping malls and venues. of worship. Apps have recently started asking for real-name registration and tracking users’ movements.
The purpose of the audit was to have an independent third party verify whether Leave Home Safe’s official privacy and security statements are accurate.
On Wednesday, OTC released 7ASecurity’s audit findings report with 12 findings, eight of which are categorized as security vulnerabilities and four as general weaknesses with lower potential for exploitation. Three of these findings were rated as high or critical in severity.
“While no clear privacy breaches could be conclusively proven during runtime auditing, a number of application artifacts, likely inherited from underlying dependencies or simply security vulnerabilities introduced by mistake, were discovered during this exercise,” the report said.
The privacy audit could not conclusively prove malicious intent or unauthorized tracking of Hong Kongers, he said.
One of the vulnerabilities identified was that the Android application failed to validate certificates that secure Internet connections by encrypting data sent between a browser, website, and website server, allowing an attacker to intercept communications between two parties without any warning to the user.
7ASecurity also found that the Android app stores vaccination and COVID test status images in the mobile device’s Secure Digital (SD) storage cards when users attempt to import these QR codes from locations more secure, such as Google Drive. Android SD cards are inappropriate locations for sensitive data because thieves can remove them and plug them into a computer to read the data.
Additionally, the audit determined that the Leave Home Safe Android app uses several cryptographic functions with known security weaknesses, either directly or through legacy libraries.
The iOS app does not implement the data protection features available in iOS, so most files have default encryption that keeps the decryption key in memory while the device is locked – the form of protection least secure data file available on iOS because a malicious attacker with physical access to the device could use it to read the decryption key from memory and access local app data files, without having to unlock the device.
Other significant shortcomings were the lack of Hong Kong health code system credentials, valid Hong Kong COVID vaccination QR codes, and valid Hong Kong COVID test QR codes.
“This poor result strongly suggests that the Leave Home Safe mobile apps have not been audited by any competent security company before,” OTC said in its announcement. “This contrasts sharply with The documentation in the official Leave the house safely website, which states that the mobile apps were previously audited on December 10, 2021, and only one “low” priority issue was identified.
7ASecurity recommended that the issues raised in the report be addressed to strengthen the security aspects of the Leave Home Safe platform, and that a thorough review, including a full code audit, be performed. The company also suggested testing the platform regularly at least once a year or when substantial changes need to be rolled out, to ensure new features don’t introduce security holes.
FRG previously reported about Hong Kong police in Hong Kong investigating the origins of a bogus app after the government made the Leave Home Safe app mandatory for those entering government-run facilities.