New research claims that Hong Kong’s COVID-19 contact tracing app has a host of security problems that could expose sensitive user data. The city’s response: We don’t know what you guys are talking about.
The Hong Kong government launched the LeaveHomeSafe app in November of 2020 to help track and combat the pandemic. Available for iOS and Android, the app collects information on a user’s location as they travel around the city, culling the data from barcode scans at local restaurants. That might seem pretty innocuous, but given the political turmoil in the city over the past several years, Hong Kong residents aren’t the most trusting these days. The app quickly became a subject of controversy, when local residents began expressing concerns that the app might actually be a tool of government surveillance.
In May, the crowdfunded journalism non-profit FactWire reverse engineered the app and found evidence of a facial detection module inside the code. However, it could not be determined whether the module was actually being used or not.
Now, different researchers say that the app has even more problems: namely, a host of security issues that could “allow hackers to access ID numbers, visit records or vaccination and testing information” under the right circumstances.
The research in question was produced by 7ASecurity, a cybersecurity firm based in Poland. In a recently published report, the researchers wrote that while they could not “conclusively prove malicious intent or unauthorised tracking of Hong Kong citizens,” the app has serious security flaws that could result in the leak or theft of user data.
In a statement published to its website on Thursday, the Hong Kong government said that there “has never been any security or privacy-related incidents” in connection with the apps. The government further noted that it “regrets and firmly opposes the inaccurate reports and unfair allegations” made in the report.
COVID tracking has dire consequences in China. At least a million people were under strict lockdown in Wuhan as of Wednesday after three cases were detected there. Enormous factories run by the likes of Foxconn and Huawei have kept workers on site for 24 hours a day to prevent exposure and keep the facilities running. Shanghai has locked down tens of millions of people multiple times over the past six months.
For their part, the researchers seem to be pretty certain of their findings. “The goal of this engagement was to have an independent third party verify whether the official LeaveHomeSafe privacy and security claims, prominently presented on the app homepage, are accurate,” they write. The report goes on:
…[we] managed to spot a total of 12 findings, 8 of which were classified as security vulnerabilities and 4 as general weaknesses with lower exploitation potential. Please note that 3 of the findings in this report had an estimated severity level of high or critical. This poor result strongly suggests that the LeaveHomeSafe mobile apps have not been audited by any competent security firm previously.
You can read 7ASecurity’s full report on the security issues here.