Vulnerabilities Detected in Government-sanctioned COVID-19 App

A COVID-19 app officially approved by the government of Colombia has been found to contain vulnerabilities.

Research published today by ZeroFOX’s Alpha Team raises concerns over an official government-sanctioned mobile app and several other apps created in response to the global health crisis. 

On March 9, Colombia's president, Ivan Duque, announced the launch of the CoronApp-Colombia app as a way for Colombians to send health updates and receive coronavirus news. Researchers found that the app, which has over 100,000 users, exposes user data.

"The CoronApp-Colombia app had a vulnerability where it was sending Personal Health Information (PHI) and Personally Identifiable Information (PII) data in plaintext," said Zack Allen, director of threat intelligence at ZeroFOX.  

"This includes passport numbers, passwords, and self-disclosed health information." 

Researchers found another app in use in Italy, released in beta testing mode, was recompiled with a backdoor and was "actively infecting victims." 

Asked if governments, instead of setting up new apps, should look to partner with existing apps to get the word out quickly and more safely, Allen said: "This is a fantastic demonstration of private and public industry working together, and I think it would be a great approach, granted the people trust these apps. It all depends on who wants to inherit the risk. 

"Many social media sites, for example, have COVID-19 splash pages and notifications for information, but having a large tech company hold all your data may have the same effects as government-sanctioned apps."

Unwilling to rely on TV and radio alone to communicate with citizens during the current health crisis, governments across the world have rushed out COVID-19 apps. 

"Mobile app usage is one of the faster ways to get information to citizens, but it comes at a cost," said Allen. "Governments inherit the risk of deploying code quickly and efficiently, and citizens have to trust that their privacy and protection are top of mind. 

"In my personal opinion, I'd like to see informational sources such as websites be used with a mobile-friendly website view. I would not install apps that use Bluetooth for tracking myself and others."

Asked if he personally uses any COVID-19 apps, Allen said: "I am primarily visiting the WHO and CDC websites on a daily basis. After reviewing about 30 of these apps, I would be hesitant to install them at this time."

What’s Hot on Infosecurity Magazine?