June 11, 2020 — An independent French hacker, Elliot Alderson, shared a tweet thread highlighting various issues relating to privacy in the Pakistan government’s app “COVID-19 GOV PK”. Developed by the National Information Technology Board (NITB), this app was launched by the government to track and trace COVID-19 patients in Pakistan.
Alderson, in his tweets, mentions that where he has examined various contact tracing apps from other countries, added that “nothing is ok with this app”. The app, available on Google PlayStore, has already been downloaded by 500,000 people, and contains privacy issues that can seriously threaten their and their information’s safety.
The hacker states that it is not a contact tracing app, instead, a dashboard that allows users to access the number of cases in the country, let’s them do self-assessment, gives radius alerts if the person is in close proximity of a confirmed COVID-19 patient, and gives a pop-up reminder to maintain personal hygiene.
According to the security analysis, when the application is opened, it first connects to the Pakistan government servers with hardcoded credentials. This type of credentials allows for anyone with basic software development skills to be able to access the username and password embedded within the source code in plain text, indicating the insecure nature of the code that makes it vulnerable to various kinds of threats, like DDoS attack. This particular set of credentials is required to establish a connection between the application and the host server.
Alderson also points out that the request sent by the application to the host server covid.gov.pk follows insecure HTTP protocols, instead of HTTPS, making the connection further unsafe for the data that is stored on it. Additionally, the app also stores physical locations of the patients in the form of coordinates on the map. Alderson writes, “Sick people deserve privacy”, and calls it the worst Covid-19 app he has analysed.
NITB responds to privacy concerns
Shabahat Ali Shah, CEO of the National Information Technology Board (NITB), on Tuesday, shared a statement defending the app and called Alderson’s concerns part of the design that do not pose any privacy risks. According to the statement shared by Shah, a very limited personal information is collected by the app, and does not show the exact location of the patients. The three-points statement mentions that the patients give their consent to reveal their coordinates.
The statement outlines that there is no login mechanism in place on the app, and username and password are not part of the workflow of the application. However, Asad Baig, Director and Co-Founder of Media Matters for Democracy, posits that these credentials are not at the user’s end, instead, connects the information on the application with the server of the government of Pakistan. “These login credentials are essential for the connection that is being built between the application and the server every time the information is updated on the app or a user accesses this information. It has nothing to do with users, and everything to do with the app’s security on connection level.” He adds, “On top of the hardcoded passwords, the app does not build a secure HTTPS connection with the server which is another layer of insecurity within the design of the app. Collectively, this is a privacy nightmare waiting to happen any time.”
Rafay Baloch, an Information Security Researcher, responding to Shah’s statement, writes on Twitter that it is insufficient and doesn’t address the concerns raised by Alderson. Baloch adds that there are many privacy issues with the app, including “insecure protection at transport layer for not being able to enforce HTTPS where-by still leaving application vulnerable to MITM (Man-in-the-Middle attack).”
Anas Tipu, a web developer, echoes these remarks and suggests that secure connection is important for any application or website in order to avoid attempts of hacking or other digital attacks. “Instead of making this connection secure, hardcoded passwords coupled with insecure HTTP connection, open the data for security threats, both on the application level and on the server level. This connection should have been encrypted and dynamic so the chances of the data being compromised are less.”