[BreachExchange] Proposed government coronavirus tracking app falls at the first hurdle due to data breach

Destry Winant destry at riskbasedsecurity.com
Tue Apr 21 10:20:15 EDT 2020


A mobile application proposed to the government of the Netherlands as
a means to track COVID-19 has already fallen short of acceptable
security standards by leaking user data.

The app, Covid19 Alert, was one of seven applications presented to the
Ministry of Health, Welfare, and Sport, as reported by RTL Nieuws.

The shortlisted mobile app's source code was published online over the
weekend for scrutiny as the government decides which solution to back.
It was not long before developers realized that the source files
contained user data -- originating from another application.

According to the publication, the app contained close to 200 full
names, email addresses, and hashed user passwords stored in a database
from another project linked to an Immotef developer.

The source code was quickly pulled, but the damage was already done,
with one developer criticizing the leak as "amateurish."

A spokesperson for the Covid19 Alert app said the information was
"accidentally put online" due to the haste in which the team wanted to
make the source code available for analysis.

The developers are working on improvements, but it remains to be seen
if Covid19 Alert will go any further in the selection process, which
is ongoing.

Mobile technology, specifically our smartphones and tablets, provides
an opportunity for healthcare providers, governments, and researchers
to be able to accurately track the spread of the novel coronavirus
moving through populations.

However, forcing the general public to install these kinds of
applications has prompted a number of privacy and security concerns,
including how geolocation data is stored and could otherwise be used,
whether or not information can be anonymized properly, and how
tracking individuals in the future could erode rights to free
movement, speech, and association.

At the beginning of April, 130 scientists, academics, and technology
experts launched the Pan-European Privacy Preserving Proximity Tracing
(PEPP-PT) initiative, a European scheme designed to oversee the
development of COVID-19 tracker apps.

Earlier this month, researchers from Boston University proposed an
alternative method for tracking COVID-19 that does not impede our
privacy. A voluntary mobile application is installed on our
smartphones that leverages short-range broadcast technology -- such as
NFC or Bluetooth -- and blasts out ID numbers, that change on a
frequent basis, to those nearby.

These numbers are stored on the device itself and users can choose to
share them if they are diagnosed with COVID-19 to alert others that
they have been in contact with a confirmed case.

More information about the BreachExchange mailing list