TheDigitalHacker has been reported that the app made by developers of the Pakistan government to track #covid19 uses a 3rd-grade security system that can leak personal data like passwords, personal information which are the 1st level concerns for any privacy tracing apps.
1. It uses HTTP not HTTPS to manage server
HTTPS has been a standard for decades to transfer any private data securely and organization.
Before 2016 implementation of HTTPS on the server was used to be an expensive task, and many organisation weren’t able to afford unless they were well funded.
Gaining an HTTPS certificate doesn’t cost a penny
In 2016, the Electronic Frontier Foundation encouraged the organizations, websites, and app developers to use HTTP by availing secure certificates for free.
2. User’s data including password not Encrypted
Apart from using HTTP they also did not encrypt the password field. This opens up a big vulnerability and anyone using the same wifi, or a router through which the data is transferred can see the exact password without putting much effort.
3. Reported but they Fought back
The security vulnerability was reported to Pakistan but the developers blamed back “arguing” it wasn’t the password but a key.
But it turns out to be the password itself, and the developers liked the fact.
TheDigitalHacker recommends not to use
We do not recommend using this app unless it is updated with latest security measures and encrypts users’ data before sending it to the server.
We encourage the government of Pakistan to take further action, making the app temporarily unavailable and available once the app matches and protects the basic privacy of its citizen.
#COVID19 data leak can create chaos in tier 1 country
Companies like Google, Apple has been investing a fortune in building the covid19 tracing app secure and ensuring users that the data won’t be leaked.
If personal data like password, name, and #covid19 data gets leaked it can create uncontrollable chaos among people.