–Expert says the vulnerabilities identified by French analyst do not reflect secure coding practices
LAHORE: The federal government on Wednesday said that there was no rhyme or reason for citizens to believe reports of security flaws and bugs in its Covid-19 Gov PK application aimed at providing easy access to information on ventilator availability in hospitals across the country.
According to a press release by the National Information Technology Board (NITB) in this regard, the issues put forward by a French researcher were “incorrect”.
“No user login mechanism is present in the app. Therefore, the use of login and passwords are not part of the app’s workflow. The screenshot mentioning the hardcoded password is the defined keyword to give more security to an auto-token endpoint, so that endpoint can only be used from mobile apps,” it stated, adding, “All our API’s communicate using HTTPS. Hence, security and protection of data of users as per international standards is of prime importance and implemented at the core”.
Speaking to Pakistan Today, renowned cybersecurity expert Rafay Baloch said, “The first issue pertaining to radius alert whereby the application populates locations of self-declared patients on a map is by design and is not valid security finding, as information is populated based upon user consent and as per the clarification given by NITB, the app does not display exact coordinates.”
He explained, “Other findings are valid from a security standpoint, the clarifications refer to international security standards being followed; however, the vulnerabilities identified do not reflect secure coding practices”.
“OWASP Mobile Top 10 risks are the best known and most widely adopted international standard for secure coding and the vulnerabilities identified to be a clear violation of the aforementioned standards,” he added.
When asked how lack of data protection and privacy legislations impact end users, Baloch said, “In absence of legislation such as Data Protection Law, there is no liability or obligation upon companies and institutions processing personal data. There is no breach disclosure policy under which companies are mandated to publicly acknowledge and disclose details pertaining to breach of personal data”.
“All applications storing and processing citizen’s personal data should go under an independent security scrutiny before they are made public,” he concluded.
On Tuesday, it had emerged that the country’s “COVID-19 Gov PK” app developed for easy access to information on ventilator availability came with a plethora of serious privacy and security flaws.
French security researcher identified as Elliot Alderson via Twitter said he “analysed” the app and pointed out the flaws in a series of found tweets.
According to Alderson, the app released on March 27 on the Google Play Store, is not a contact tracing app and lets a user view dashboards for each province and state.
“Yesterday night, I analysed ‘Covid-19 Gov PK’ the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app,” he wrote.
1/ Yesterday night, I analysed “COVID-19 Gov PK”, the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app.
Want to see this horror? Follow me ⬇️ pic.twitter.com/cpdf5ezoFM
— Elliot Alderson (@fs0c131y) June 9, 2020
The app is “made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times. You can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene,” he wrote of his user experience.
2/ This app, made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times.https://t.co/bdh1uimzan
— Elliot Alderson (@fs0c131y) June 9, 2020
The security researcher went on to say that when the app is first opened, “it asks a token to the pak gov server with hardcoded credentials: CovidAppUser/[email protected]#890#”.
Hardcoded credentials, which essentially means a password embedded into the code for easy access by the developer, are a major security risk as they are favoured by hackers who target them for access to the app itself, or worse, the device. They are usually left in at the developing stage but should ideally be removed before the app’s release.
The researcher said that when the app “requests the position of infected people on the map”, more hardcoded credentials were found.
He went on to say that the first request made by the app is “unsecure”.