A French security researcher, Baptiste Robert — known by his penname Elliot Alderson on Twitter –, has criticised Pakistani government’s official COVID-19 mobile application over security flaws, highlighting several privacy errors in the application developed by the National Information Technology Board (NITB).
In a series of tweets, Robert said the “Radius Alert” app was being managed without proper security bearings, using hardcoded passwords — the practice of embedding plain text (non-encrypted) passwords in the source code.
“To display the pins on the map, the app is downloading the exact longitude and latitude of sick people,” he said. Any hacker could find the locations of the identified patients in Pakistan.
He further tweeted that requests being sent to the server on the app were insecure (requests made with http) and any hacker can access the username and password being used to access the server. So far, more than 500,000 people have downloaded the app.
In response to the allegations, NITB Chief Executive Officer (CEO) Shabat Ali Shah said the app did not show the exact coordinates of infected people, instead, it showed a radius parameter that is fixed by default at 10 metres for self-declared patients and 300 metres at a quarantine location.
“The self-declared patients have given their consent to reveal their coordinates for the safety of other citizens, moreover, they have accepted our app privacy policy/terms and conditions,” he maintained.
The NITB CEO said there was always room for improvement and any critical analysis would be appreciated.
He added the NITB was also preparing a security audit report of the app.
