This is according to a report where an app security company evaluated the software for vulnerabilities.
Twelve major e-government mobile apps have been found to be leaking sensitive data and lacking in basic security, according to a report by a Norwegian app security firm.
The e-Government mobile apps from the Asia Pacific region, which are supposed to provide streamlined solutions for healthcare and tax administration, were evaluated by the firm, Promon, and:
- Around 60% of the tested apps leaked sensitive data
- In some cases, personally identifiable information was conveniently stored in well-formatted, but unencrypted SQL databases showing when and where a user had been located
- In almost all cases, it was possible to obtain certificates used to perform Secure Sockets Layer (SSL) and Transport Layer Security (TLS) pinning
- More than 80% of the apps evaluated could be repackaged, injected with malware and redistributed
- 60% of the tested apps had no malware protection in place
- 50% of apps did not even use basic protection techniques such as code obfuscation
- More than 65% of the tested apps were not detecting if an attacker was analyzing the code at runtime using basic and widely used analytic tools
According to the security firm’s Senior Technical Director, Andrew Whaley: “Some of these apps are supposed to monitor user compliance with local lockdown measures. Therefore, there is a real incentive for users to exploit these vulnerabilities. The lack of integrity controls or secure storage of certificates and API keys made it relatively easy to modify the app to report that a user is at home observing quarantine measures when in fact, they are out at a nightclub.”
Whaley added that securing apps using suitable tools for iOS and Android would make it extremely difficult for somebody to bypass these controls. “Therefore it’s surprising that it hasn’t been done in these cases.”
