Major Government Apps In Asia Leak Sensitive Data And Lack Basic Security
Mobile eGovernment (eGov) apps create a unique opportunity for governments to interact with their citizens and provide streamlined solutions for them – from eID’s and healthcare apps to tax services apps. Government apps cover a wide range of services and can be highly beneficial for a country’s citizens.
But these apps can also contain a great deal of sensitive information that needs to be kept safe.
Due to COVID-19, governments have accelerated the digitization of their citizen interactions by several years and, if these institutions aren’t implementing security mechanisms to protect against common attack methods, these apps ultimately put citizens’ data at risk.
Our latest report, published today, looked at whether these apps have strong enough security mechanisms in place or if they contain vulnerabilities that could potentially jeopardize citizens’ data.
From our extensive research, we found that 12 major government apps in Asia are leaking sensitive data and lack basic security.
Key findings from the report include:
- Around 60% of the tested apps leak sensitive data
- More than 80% of the apps could be repackaged, injected with malware and redistributed
- 60% of the tested apps had no malware protection in place
- 50% of apps don’t even use basic protection techniques such as code obfuscation
- More than 65% of the tested apps are not detecting if an attacker is analysing the app at runtime, using basic and widely used analytic tools.
Andrew Whaley, Senior Technical Director at Promon comments: “The level of vulnerability of these government apps isn’t surprising and is similar to what we see across the board. Interestingly, some of these apps are supposed to monitor user compliance with local lockdown measures. Therefore there is a real incentive for users to exploit these vulnerabilities.
The lack of integrity controls or secure storage of certificates and API keys would mean that it’s relatively easy to modify the app to report that a user is at home observing quarantine measures when in fact, they are out at a nightclub! Securing apps using suitable tools for iOS and Android would make it extremely difficult for somebody to bypass these controls. Therefore it’s surprising that it hasn’t been done in these cases.”