OSLO, NORWAY – The Home Office’s Brexit app, used by people to confirm their identity as part of their application to stay in the United Kingdom should it leave the European Union, is at serious risk of malware attack, potentially allowing hackers to steal passport information and facial scans. The app, which requires users to scan their passports and faces as part of the application process, has been downloaded over 1,000,000 times.
The Promon researchers did not reveal a specific vulnerability in the app but tested the app’s resilience against basic and commonly used attack methods and tools, which often require very limited technical skills to use.
*Independent security standards (OWASP – Mobile Application Security Verification Standard) defines resilience against such attacks as a mandatory minimum for mobile app’s handling sensitive information.
In a worst-case scenario, with malware being launched and distributed to attack the Brexit app, Promon’s researchers concluded the following:
- The EU Exit: ID Document Check Android app lacks functionality that prevents malware from reading and stealing sensitive information provided by users, including passport details and photo IDs.
- Attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements.
- The app is not resilient against code being injected while the app is running, allowing hijacking the app from the inside, by the use of basic and widely spread tools.
- The app is not capable of noticing whether it is being used in a hostile environment, in which the basic security architectures of Android have been broken (as for example a rooted phone).
- The app is not detecting if an attacker is analyzing the app at runtime, using basic and widely used analytic tools (so-called debugging).
- Basic and generic spyware would be able to log what is typed into the app’s text fields, meaning personal information can easily be stolen.
- The app does not use obfuscation, which can make the job of developing targeted malware more time consuming for an attacker.
- Several of the attack scenarios could be carried out on both rooted and non-rooted devices.
*Mobile security standards, including those outlined by independent Open Web Application Security Project, state that apps handling sensitive data are required to be resilient against threats of this type at the very minimum. For specifics, head to chapter 8, V8 in its Mobile App Verification report.
“From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it,” comments Promon CTO Tom Lysemose Hansen. “At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers. As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”
“We see that too many high-value apps that possess and require personal and critical data run within untrusted environments, like insecure operating systems without necessary protection in place,” adds Promon CEO Gustaf Sahlman. “Banks have been alert to this threat for many years, with the majority taking the necessary steps to ensure their apps contain the right level of security, and we call upon governments around the world to realize just how dangerous mobile malware is, and to offer their end-users protection.”
Our conclusion is that the app does not include countermeasures, nor does it implement protection mechanisms, as for example recommended in the standards of OWASP. Neither is the resilience level on par with, for example, the best practices that we see within the banking and finance sector.
Consequently, the likelihood of data leaking or being manipulated is much higher when compared to an app that adheres to such standards. Whether or not that is a big deal is not for Promon to decide, but we think at least users should be aware of that – and they may have different expectations.
Please note we are not advocating a black or white notion of security – perfect security or nothing at all. We are just observing that lacking resilience against commonly-used attack tools and methods means that very little technical skill or effort is required for data to leak, which increases the likelihood of this happening. And considering the sensitiveness of the data being handled, it may very much be a big deal for people who have their data stolen.