A French hacker yesterday, tweeted about the newly released COVID-19 app by Pakistan government, claiming that it contains security flaws and bugs. The mobile app, called COVID-19 Gov PK was designed to give insights to the present situation of a patient. However, today the government has rejected the report by the French Hacker, stating that the claims are incorrect.
French Hacker has privacy concerns over COVID-19 App made by Pakistan’s govt.
On June 9, a French hacker Elliot Alderson took to his Twitter account to tell people about his analysis so far on COVID-19 Gov PK. According to Alderson, the COVID-19 app by the Pakistan government has serious privacy issues.
Here’s what he tweeted about the app:
“Yesterday night, I analyzed “COVID-19 Gov PK”, the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, … nothing is ok with this app.
Want to see this horror? Follow me”
In addition, the French hacker mentioned that his analysis shows that the app has been downloaded about 500,000 times. Noting that the app isn’t for contact tracing, Alderson said it helps users to access dashboards for each province.
“It’s NOT a contact tracing app. It gives access to dashboards for each province and state. You can do a self-assessment, get a radius alert, get a popup notification reminding the user of their personal hygiene.”
Furthermore, Alderson mentioned that the app asks for a token to the pak gov server with hardcoded credentials, whenever users first open it.
“Because hardcoded credentials seem to be a thing in Pakistan when the app requests the position of infected people on the map, they used another hardcoded creds.”
Apart from that, he also mentioned that the app’s “Radius Alert” tab, which shows the exact coordinate of coronavirus infected people, is a major breach of privacy to the patients.
In conclusion, the French hacker said the COVID-19 app by Pakistan government is the worst app he has ever analyzed. That’s because the app comes with a lot of issues, including hardcoded passwords, insecure requests, and privacy concerns.
The Pakistani Government rejects the claim by Alderson
Today, the Pakistan government rejected the claims by the French hacker that its newly released COVID-19 app contains several issues.
According to the official press release National Information Technology Board (NITB), the claims by Alderson are incorrect. Here’s a brief of the release:
“The purpose of the app is to stop the epidemic spread. A very limited personal information of the user is collected. The app does not show the exact coordinates of the infected people. Instead, it shows the radius parameter that is fixed by default at 10 meters for self-declared patients and 300 meters at a quarantine location. Hence, self-declared patients have given their consent to reveal their coordinates for the safety of other citizens. Moreover, they have accepted our app privacy policy/terms and conditions”
Furthermore, the NITB mentioned in the release that the COVID-19 app by Pakistan government doesn’t have a user login mechanism. Also, speaking of the hardcoded password, NITB explained that it is the defined keyword, which helps to provide more security to an auto-token endpoint, making it only useful on mobile apps.
“All our APIs communicate using HTTPS. Hence, the security and protection of data of users as per international standards is of prime importance and implemented at the core.”
