The Hong Kong government’s Covid-19 contact-tracing app contains privacy and security risks that could compromise the security of users’ personal information, a cybersecurity firm has said.
Polish company 7ASecurity conducted an independent security audit of the LeaveHomeSafe app between April and May, at the request of the Hong Kong Democracy Council, a US-based pro-democracy lobby group founded by foreign activists.
The company spotted 12 security and privacy vulnerabilities, three of which were classified as critical or high-level vulnerabilities. The most critical weakness, according to 7ASecurity CEO Abraham Aranguren, could allow attackers to intercept the app’s data collection process and gain access to user information, including their ID card number. , their phone number and their Covid-19 vaccination status. This issue only affected devices using the Android operating system.
Aranguren told HKFP that the app’s security is poor compared to other commercial products. “Nowadays, it’s very rare in a mobile [penetration test] have items with high or critical security [issues]“said Aranguren. Penetration testing simulates cyberattacks to assess the security of a system.
Most of the vulnerabilities did not appear to be “intentional,” but instead suggested “negligence” on the part of the developer, Aranguren said. But he questioned why Hong Kong authorities claimed the app had passed previous security and privacy checks, citing a government press release issued last February that said an “impact assessment Privacy” had been conducted by “independent third parties”.
The company also found facial detection elements identified as “libraries”, which in programming language means pre-written codes available in the market.
It was the second time such a feature had been spotted in the contact tracing app. In May, the now-defunct investigative journal FactWire reported that a React Native facial detection module had been found on the LeaveHomeSafe app. The government later said the facial detection feature was indeed tied to code that allows the phone’s camera to scan objects, but said it would ask the developer to try removing the recognition feature. to dispel any privacy concerns.
However, two facial recognition libraries were found during 7ASecurity’s audit, including React Native’s and Google’s. Aranguren said that while it’s not uncommon for developers to keep these libraries in their code even if they weren’t meant to be enabled, their presence may still raise eyebrows.
“The main question is why is it there, isn’t it?… We don’t know why they weren’t removed. So the whole issue here is the issue of trust because there are political concerns,” Aranguren said.
When use of the LeaveHomeSafe app was made mandatory to enter restaurants, some residents expressed concerns about the security of their data. “I’m worried about my personal information, but since it’s now a requirement…I have no other choice,” a guest told HKFP last year.
Aranguren said the company was unable to verify whether the libraries were enabled or not. He added that authorities and app developers should make LeaveHomeSafe an open source app.
“If the app is open source, there was no obfuscation and there were no facial recognition artifacts, then the case for privacy would be pretty much dead because there would be [transparency]…everyone would be able to read the code, so you could tell they’re not trying to hide anything.
The Office of the Chief Government Information Officer (OGCIO), which is responsible for the operation of the LeaveHomeSafe app, responded to 7ASecurity’s “inaccurate report” and “unfair allegation” in a statement last Thursday.
OGCIO said privacy has always been the primary goal, adding that all privacy-related data stored in the app is masked and encrypted. He also touched on the issue of the facial recognition feature.
“OGCIO repeatedly explained in response to allegations related to the facial recognition module in May this year and reiterated that the mobile application “LeaveHomeSafe” never used or required any facial recognition function. The affected facial recognition module has also already been removed as promised,” the statement said.
Responding to a query from HKFP regarding requests to make LeaveHomeSafe open source, an OGCIO spokesperson said that “the primary goal of open source government applications is to facilitate industry development. through program code reuse,” a goal that was “not applicable to ‘LeaveHomeSafe’.”
“We are of the view that opening the source code of the app will only introduce additional security risks with no apparent benefits. For example, it will be much easier for offenders to develop fraudulent ‘LeaveHomeSafe’ apps. As such, we have no intention or plan to open its source code,” the spokesperson continued.
7ASecurity said it sent the full report to the government and app developer in June – a month before it was published – and only received an automated acknowledgement. Aranguren said several follow-up requests were sent but authorities never responded or offered to fix things.
The OGCIO did not confirm whether it received the report from 7ASecurity, or reveal which independent third parties performed security checks.
The LeaveHomeSafe app was introduced in November 2020 to improve government contact tracing efforts amid the Covid-19 pandemic. The government has repeatedly emphasized that use of the app is voluntary, however, LeaveHomeSafe has become mandatory to enter an increasing number of places, including but not limited to restaurants, gyms, bars and pubs.
Hong Kong on Sunday recorded 1,353,994 Covid-19 infections and 9,503 related deaths since the start of the pandemic.
Support HKFP | Code of Ethics | Error / typo? | Contact us | Newsletter | Transparency & Annual Report