Norwegian app security company Promon has reported it found that 12 major government apps in Asia are leaking sensitive data and lack basic security.
The report can be accessed here. Key findings include:
- Around 60% of the tested apps leak sensitive data
- In some cases, PII is conveniently stored in well-formatted, but more importantly, unencrypted, SQL databases showing when and where a user had been located.
- In almost all cases, it was possible to obtain certificates used to perform Secure Sockets Layer (SSL) and Transport Layer Security (TLS) pinning.
- More than 80% of the apps could be repackaged, injected with malware and redistributed
- 60% of the tested apps had no malware protection in place
- 50% of apps don’t even use basic protection techniques such as code obfuscation
- More than 65% of the tested apps are not detecting if an attacker is analysing the app at runtime, using basic and widely used analytic tools.
Andrew Whaley, Senior Technical Director at Promon comments: “The level of vulnerability of these government apps isn’t surprising and is similar to what we see across the board. Interestingly, some of these apps are supposed to monitor user compliance with local lockdown measures. Therefore there is a real incentive for users to exploit these vulnerabilities.
The lack of integrity controls or secure storage of certificates and API keys would mean that it’s relatively easy to modify the app to report that a user is at home observing quarantine measures when in fact, they are out at a nightclub! Securing apps using suitable tools for iOS and Android would make it extremely difficult for somebody to bypass these controls. Therefore it’s surprising that it hasn’t been done in these cases.”