Note: this article may contain vulnerabilities that have been patched since the time the article was written.
Over the past few weeks, a handful of companies, states, and counties have released COVID-19 informational or contact-tracing apps. These apps aren’t built on the official Contact Tracing API specification published by Apple and Google – that functionality hasn’t officially been rolled out by those two companies yet. Rather, these apps either provide some alternative approach to contact tracing – or simply provide information regarding the virus.
In this article, I highlight a handful of privacy and/or security-related flaws I discovered while conducting research on the apps that I could find on the iOS App Store related to COVID-19.
Developer & Ratings: This app was developed by HealthLynked Corp. It has 35,000 ratings, with an average rating of 4.6 stars. Download on the iOS App Store.
App Summary: This app provides the ability for users to self-report symptoms of COVID-19 - data which is then shown to users in an aggregated map-like format.
Upon inspection of the API call that enables this functionality, it appears that commenting out the session cookies results from the API call results in a successful database write, with a status code 200 and success message.
A hacker could exploit this feature by randomly generating reports associated with particular areas, which would then allow massive misinformation campaigns surrounding false positives in particular zip codes. These results would propagate directly to the map view shown to users.
Upon logging in, the user’s entered email and password combination are sent over an unencrypted HTTP POST request to /api/sessions/login in plaintext. Note the unchecked TLS column visible in BurpSuite.
An on-path attacker could observe and capture the email and password sent across the unencrypted channel.
Developer & Ratings: This app was developed by the State of North Dakota. It has 256 ratings, with an average rating of 3.0 stars. This is a review of app version 3.1. Download on the iOS App Store.
In version 3.1, the developers claim to have “increase[d] user privacy by removing a set of support diagnostics.” However, the application appears to still be sharing identifiable analytics information with FourSquare, including arbitrary values like phone battery strength, without user consent.
Developer & Ratings: This app was developed by Sonoma County in a partnership with IBM. It has 4 ratings, with an average rating of 3.5 stars. Download on the iOS App Store.
App Description: This application contains a survey created by IBM and the Sonoma County Health Department to collect crowdsourced self-reporting information from users.
This application allows self-reporting of user information via a survey. The survey responses are pushed to a server database via a POST request. The request includes a user field, which contains a UUID referring to the particular user. This UUID remains constant throughout subsequent survey responses sent from the same device.
With no user validation (see the “user” key-value pair in the data payload replaced with an arbitrary “SOME_USER_HERE” value), an attacker could arbitrarily generate user ID’s – perhaps ID’s matching the syntax of the client – and flood the database with fake survey results. The app would likely be unable to differentiate between legitimate survey results and spoofed ones, as the application appears to generate the user ID randomly on the client on first launch.
Developer & Ratings: This app was developed by Twenty Holdings, Inc in a partnership with the State of Utah. It has 3.1K ratings, with an average rating of 4.7 stars. Download on the iOS App Store.
App Description: Utah’s official contact-tracing application.
This application has an opt-in location tracking feature, which allows users to share their location with researchers and public health authorities for data analysis purposes. In an effort to make this as private and anonymous as possible, the app doesn’t tie locations to user survey responses (note the POST request below: it has no identifying information in the header/data excluding the location points themselves).
This opens this app up to a particular vulnerability; hackers could potentially reproduce this POST request and send millions of fake user locations to the server, which would then deem any research or data collection purposes futile.
Developer & Ratings: This app was developed by Electronic Health Administration, Ministry of Health, Vietnam. It has 34 ratings, with an average rating of 3.4 stars. Download on the iOS App Store.
App Description: this is an informational app created by the Government of Vietnam.
This app is using Facebook as a backend and Google Analytics as well. The Facebook backend draws immediate concern; users who are using the Facebook mobile application may be traceable via a device fingerprint.
This isn’t immediately a security violation, but this app appears to be using some form of authentication with a hard-coded client-side email and password (I didn’t enter these myself; the app automatically sent them along). As hard-coded authentication keys, there’s a small chance that these could be used to unlock aspects of the database that shouldn’t be accessible to users of the app.
Developer & Ratings: This app was developed by the Government of Brazil. It has 99 ratings, with an average rating of 3.6 stars. This is a review of version 2.0.8. Download on the iOS App Store.
App Description: This is the official COVID-19 informational app for the country of Brazil.
This application is using a weak HTTP connection instead of an encrypted HTTPS connection to send private information via POST requests, like latitude and longitude coordinates tied to particular user ID’s. Note the unchecked TLS column in BurpSuite.
Due to the lack of encryption, on-path attacker could observe and silently collect precise user locations of millions of users.
Developer & Ratings: This app was developed by the Piusworks LLC for Daly City. It has 17 ratings, with an average rating of 3.8 stars. This is a review of version 1.4.0. Download on the iOS App Store.
App Description: The official contact-tracing app of Daly City, CA built on a custom framework.
This application has a significant breach of user privacy in its logging framework. It appears that when the app encounters an error during the login process, it sends a POST request to endpoint /app/api_email.php with the username and MD5 hashed (but not salted) password in the payload. It appears to be sending an email accessible by the support team and/or developers containing an unsalted hash of the user-entered password, which could be identified via a brute-force dictionary attack.
This article may be updated periodically as new COVID-19 apps are released on the iOS App Store.