Govt refutes French security researcher's allegations of COVID-19 app being 'unsafe'

The government on Wednesday rejected reports that its newly released app COVID-19 Gov PK contained security flaws and bugs after a French security researcher said that it had several issues including privacy concerns, in a social media thread.

A press release by National Information Technology Board (NITB) said the issues put forward by a French French researcher were incorrect.

“The purpose of the app is to stop the epidemic spread. A very limited personal information of the user is collected. The app does not show the exact coordinates of the infected people, instead, it shows the radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have given their consent to reveal their coordinates for the safety of other citizens. Moreover, they have accepted our app privacy policy/terms and conditions,” it said.

It added, “No user login mechanism is present in the app. Therefore, the use of login and passwords are not part of app workflow. The screenshot mentioning the hardcoded password is the defined keyword to give more security to auto-token endpoint, so that endpoint can only be used from mobile apps.”

“All our API's communicate using HTTPS. Hence, security and protection of data of users as per international standards is of prime importance and implemented at the core,” it added.

Security flaws in app

In a thread on Twitter, a French security researcher who goes by the name Elliot Alderson (also a television character who is a cybersecurity engineer in hit TV show 'Mr Robot') on Tuesday said that he has "analysed" the app and found several serious deficiencies in it.

"Yesterday night, I analysed 'COVID-19 Gov PK' the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, ... nothing is ok with this app," he wrote.

The app is "made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times", noted Alderson.

It released on March 27, according to the Google Play Store.

According to Alderson, the app is not a contact tracing app and lets a user view dashboards for each province and state.

"You can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene," he wrote, as he described his user experience.

The security researcher went on to say that when the app is first opened, "it asks a token to the pak gov server with hardcoded credentials: CovidAppUser/CovidApi!@#890#".

Hardcoded credentials, which essentially means a password embedded into the code for easy access by the developer, are a major security risk as they are favoured by hackers who target them for access to the app itself, or worse, the device. The are usually left in at the developing stage but should ideally be removed before the app's release.

The researcher said that when the app "requests the position of infected people on the map", more hardcoded credentials were found.

He went on to say that the first request made by the app is "unsecure".

Moreover, Alderson said that the "Radius Alert" tab of the app, which shows a map of infected people, "the exact coordinates of infected people are downloaded by the app". This is a major breach of privacy for people who have been diagnosed positive.

 Summing up his findings, the researcher said that in the app, he found "hardcoded passwords, insecure requests and a privacy issue".

"Thanks for the good laugh, you are the worst covid 19 app I analysed," he concluded by saying.