App Security

Critical Vulnerabilities in Government Apps and Why It Is Essential To Secure Them

Mobile Government apps create a unique opportunity for governments to interact with their citizens and provide streamlined solutions for them – from eID’s to healthcare apps and, recently, a growing number of COVID19 apps with different purposes.

Vulnerable Government Apps

As government apps can hold a significant amount of citizen data, the consequences of an attack could potentially be devastating. With vulnerable government apps, sensitive citizen data, such as Personally Identifiable Information (PII) could get stolen, which might be severe for users. One could argue that by not sufficiently securing their apps, governments are jeopardising highly sensitive citizen data.

Vulnerable Government Apps

In some cases, citizens have few other options than to use the app provided by the government to be able to access certain services. For instance, COVID-vaccine certificates are becoming more and more common, and not having it can, to some extent, limit rights for people to move freely. However, problems might occur when these apps don’t have sufficient security in place.

In 2020, governments worldwide saw the need to create COVID apps to try to stay on top of the corona-situation. Unfortunately, not all of them were secure.

Morten Pedersen
Photo text goes here, with a link

Important points

Fact box header

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

Bullet list

Descriptive text goes here

  • A bullet point with longer text is it breaks over two rows. The rest of the text here is just filler.
  • A bullet point with some text
  • A bullet point with some text
  • A bullet point with some text
  • A bullet point with some text

Next Gen Security for Mobile Apps

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

This is a h2

Arguably, one of the greatest vulnerabilities against government apps is the exposure of sensitive user data through unsecured data or app assets, such as API keys and certificates.

Typically, eGov apps are designed to track sensitive data, which includes personally identifiable information (PII). This data is often cached before being uploaded to official channels for tracking purposes etc.

In our study of eGov apps in the Asia-Pacific region, we found that it was possible to scrape this information from a device. This data was, in many instances, stored in an unencrypted manner. In the instances where the PII was stored in an encrypted form, the storage mediums could still be reverse-engineered because of the lack of security the apps showed. The encryption keys could be extracted easily through hooking techniques and were, in some cases, even present in the app codebase itself. This could result in a potential data breach that could cause irreparable damage to the parties involved – both the government providing the app and its users.

Another study conducted by researchers from ZeroFox Alpha Team focusing on COVID-related apps found several serious vulnerabilities. They, for example, discovered that an app created by the Columbian government to track COVID-symptoms used insecure communication with the API server throughout the app workflow. By using insecure server calls to relay users’ personal data, the app could put citizens’ health information and other personal information at risk.

This is a h3

In some cases, citizens have few other options than to use the app provided by the government to be able to access certain services. For instance, COVID-vaccine certificates are becoming more and more common, and not having it can, to some extent, limit rights for people to move freely. However, problems might occur when these apps don’t have sufficient security in place.