Mobile Government apps create a unique opportunity for governments to interact with their citizens and provide streamlined solutions for them – from eID’s to healthcare apps and, recently, a growing number of COVID19 apps with different purposes.
However, these apps can contain a great deal of sensitive information that needs to be kept safe. And when it comes to protecting user data, governments should lead by example. If government apps do not implement the security mechanisms needed to protect against several common attack methods, they ultimately put citizens’ data at risk.
Vulnerable Government Apps
As government apps can hold a significant amount of citizen data, the consequences of an attack could potentially be devastating. With vulnerable government apps, sensitive citizen data, such as Personally Identifiable Information (PII) could get stolen, which might be severe for users. One could argue that by not sufficiently securing their apps, governments are jeopardising highly sensitive citizen data.
In some cases, citizens have few other options than to use the app provided by the government to be able to access certain services. For instance, COVID-vaccine certificates are becoming more and more common, and not having it can, to some extent, limit rights for people to move freely. However, problems might occur when these apps don’t have sufficient security in place.
Apps Leaking Sensitive Data
Arguably, one of the greatest vulnerabilities against government apps is the exposure of sensitive user data through unsecured data or app assets, such as API keys and certificates.
Typically, eGov apps are designed to track sensitive data, which includes personally identifiable information (PII). This data is often cached before being uploaded to official channels for tracking purposes etc.
In our study of eGov apps in the Asia-Pacific region, we found that it was possible to scrape this information from a device. This data was, in many instances, stored in an unencrypted manner. In the instances where the PII was stored in an encrypted form, the storage mediums could still be reverse-engineered because of the lack of security the apps showed. The encryption keys could be extracted easily through hooking techniques and were, in some cases, even present in the app codebase itself. This could result in a potential data breach that could cause irreparable damage to the parties involved – both the government providing the app and its users.
Another study conducted by researchers from ZeroFox Alpha Team focusing on COVID-related apps found several serious vulnerabilities. They, for example, discovered that an app created by the Columbian government to track COVID-symptoms used insecure communication with the API server throughout the app workflow. By using insecure server calls to relay users’ personal data, the app could put citizens’ health information and other personal information at risk.
Fake Government Apps
When downloading a government app, you would trust that it is the real one. Unfortunately, like with all other apps, eGov apps can also be repackaged, modified and redistributed.
In 2020, governments worldwide saw the need to create COVID apps to try to stay on top of the corona-situation. Unfortunately, not all of them were secure. The Italian government, for example, released region-specific apps to track corona symptoms. In ZeroFox Alpha Team’s study, they found that malicious actors were taking advantage of the inconsistency in these app’s releases and availability to launch malicious copycats that contained backdoors that would prey on users who downloaded the malicious app.
When an app provider doesn’t implement good enough security to protect their app against repackaging, it is highly compromised, and an attacker can easily modify it. Once a “malicious doppelganger” has been created and redistributed, the app can be downloaded by users who believe they are getting the original eGov app. One consequence of this is that attackers can scrape users’ log-in credentials to access accounts and personal information and steal sensitive data.
Andrew Whaley, Senior Technical Directior at Promon says that: “The level of vulnerability of these government apps isn’t surprising and is similar to what we see across the board. Interestingly, some of these apps are supposed to monitor user compliance with local lockdown measures. Therefore there is a real incentive for users to exploit these vulnerabilities.”
The solution for secure Government Apps
When it comes to app security, Government apps should set an example and at least have the basic security in place. In our research, we found that most of the analysed apps, however, did not. Other research also shows that in many cases, especially related to the COVID-pandemic, the apps created on behalf of the government do not live up to security expectations.
Apps, and maybe especially government apps, must make sure they have the security in place to withstand known attacks. One could argue that all apps that hold sensitive information of their users have a responsibility to ensure that this information is kept safe. When apps do not adhere to certain security standards, the likelihood of data leaking or being manipulated is much higher.
Governments must make sure they adopt a comprehensive approach to app security, which includes App Shielding and strong data protection. Most app users will most likely expect that their data is being kept safe, something that needs to be taken seriously – especially by governmental apps.
You can get all the results from our research of government apps in the APAC region here.