While India’s Covid-19 contact tracing app, Aarogya Setu, has faced plenty of flak for being detrimental towards user privacy, a new investigation by French ethical hacker Robert Baptiste has revealed that the Covid-19 contact tracing app offered by the Pakistani government, named ‘Covid-19 Gov PK’, ironically does not even offer contact tracing as a feature on the app. Calling the app out for its “hard-coded passwords, insecure connections and privacy issues”, Baptiste, who goes by the alias ‘Elliot Alderson’ on Twitter, has revealed numerous shortcomings of the app to the public.
1/ Yesterday night, I analysed "COVID-19 Gov PK", the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, ... nothing is ok with this app.Want to see this horror? Follow me ⬇️ pic.twitter.com/cpdf5ezoFM— Elliot Alderson (@fs0c131y) June 9, 2020
According to his posts, the Covid-19 Gov PK app gives access to state and province-wise dashboards that list down the total number of confirmed cases in these regions, as well as the total number of recovered Covid-19 patients, total number of critical Covid-19 patients and the total number of death, in both these regions and across the country. It also states the total number of cases disclosed in the past 24 hours, and has other sections such as radius alerts, a Covid-19 self assessment and more. However, while the information that this app seems to offer may be legitimate, it is difficult to understand why it would ask for sensitive user data such as passwords, location and other such information, in order to simply offer updates that may be read from news portals.
Baptiste has further revealed that the connection that the Pakistani Covid-19 Gov PK app makes with its server is insecure as well. As a result, any potential attacker will be able to access usernames and passwords. To make matters worse, the ‘radius alert’ app is also managed without proper security bearings. As a result, anyone with such intentions will be able to find the exact locations of all identified Covid-19 patients in Pakistan. All of this summed up for Baptiste to call Covid-19 Gov PK “the worst Covid-19 app” that he has analysed so far.
Baptiste came under keen scrutiny of Indian users after he reported a number of privacy gaffes in the Indian government’s Aarogya Setu contact tracing app. With his latest report on the Pakistan government’s attempt at a contact tracing app, cyber security watchers will be alarmed at the lackadaisical approach that certain governments have taken, without formulating proper privacy guidelines, operational strategies and other such points. That the Covid-19 Gov PK app has already been downloaded over half a million times on the Google Play Store alone also speaks volumes about the privacy, data and cyber security threat that it represents for many in Pakistan.