A smartphone app created to help EU citizens apply to work and live in the UK after Brexit has been found to lack basic security.
Researchers at the Norwegian security firm Promon tested the EU Exit: ID Document Check Android app and discovered that it lacks functionality in preventing malware from reading and stealing sensitive information given by users such as passport details.
“Attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements,” Promon said. “The app is not resilient against code being injected while the app is running, allowing hijacking the app from the inside, by the use of basic and widely spread tools.”
Additionally, the app is unable to notice whether it is being utilised in a hostile environment such as a rooted phone, whereby “the basic security architectures of Android have been broken.”
Researchers also found that by using basic and generic spyware, personal information could be easily stolen. Furthermore the app does not utilise obfuscation, which “which can make the job of developing targeted malware more time consuming for an attacker.”
“From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it,” comments Promon CTO Tom Lysemose Hansen.
“At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers. As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”
Researchers concluded that the app does not include countermeasures, nor does it implement protection mechanisms – thus falling short to the OWASP recommended standards for best practices.
Subsequently the likelihood of data leaking or being manipulated is much higher than an app that adheres to such standards.
The post #Privacy: UK Home Office app filled with serious vulnerabilities appeared first on PrivSec Report.