AGL 40.00 Decreased By ▼ -0.16 (-0.4%)
AIRLINK 129.53 Decreased By ▼ -2.20 (-1.67%)
BOP 6.68 Decreased By ▼ -0.01 (-0.15%)
CNERGY 4.63 Increased By ▲ 0.16 (3.58%)
DCL 8.94 Increased By ▲ 0.12 (1.36%)
DFML 41.69 Increased By ▲ 1.08 (2.66%)
DGKC 83.77 Decreased By ▼ -0.31 (-0.37%)
FCCL 32.77 Increased By ▲ 0.43 (1.33%)
FFBL 75.47 Increased By ▲ 6.86 (10%)
FFL 11.47 Increased By ▲ 0.12 (1.06%)
HUBC 110.55 Decreased By ▼ -1.21 (-1.08%)
HUMNL 14.56 Increased By ▲ 0.25 (1.75%)
KEL 5.39 Increased By ▲ 0.17 (3.26%)
KOSM 8.40 Decreased By ▼ -0.58 (-6.46%)
MLCF 39.79 Increased By ▲ 0.36 (0.91%)
NBP 60.29 No Change ▼ 0.00 (0%)
OGDC 199.66 Increased By ▲ 4.72 (2.42%)
PAEL 26.65 Decreased By ▼ -0.04 (-0.15%)
PIBTL 7.66 Increased By ▲ 0.18 (2.41%)
PPL 157.92 Increased By ▲ 2.15 (1.38%)
PRL 26.73 Increased By ▲ 0.05 (0.19%)
PTC 18.46 Increased By ▲ 0.16 (0.87%)
SEARL 82.44 Decreased By ▼ -0.58 (-0.7%)
TELE 8.31 Increased By ▲ 0.08 (0.97%)
TOMCL 34.51 Decreased By ▼ -0.04 (-0.12%)
TPLP 9.06 Increased By ▲ 0.25 (2.84%)
TREET 17.47 Increased By ▲ 0.77 (4.61%)
TRG 61.32 Decreased By ▼ -1.13 (-1.81%)
UNITY 27.43 Decreased By ▼ -0.01 (-0.04%)
WTL 1.38 Increased By ▲ 0.10 (7.81%)
BR100 10,407 Increased By 220 (2.16%)
BR30 31,713 Increased By 377.1 (1.2%)
KSE100 97,328 Increased By 1781.9 (1.86%)
KSE30 30,192 Increased By 614.4 (2.08%)
Pakistan

NITB rejects errors, privacy issues pertaining govt’s COVID-19 App

  • A statement issued by NITB’s CEO Shabahat Ali Shah said that the user has highlighted a number of issues pertaining to the app including privacy issues, hardcoded passwords, and insecure connections.
Published June 10, 2020

The National Information Technology Board (NITB) has responded to the issues highlighted by a social media user pertaining to the recently launched COVID-19 Gov PK mobile app.

A statement issued by NITB’s CEO Shabahat Ali Shah said that the user has highlighted a number of issues pertaining to the app including privacy issues, hardcoded passwords and insecure connections.

The development comes after a social media user, who analyzed the app in detail, uncovered various privacy concerns and security vulnerabilities. The user stated that the official mobile application does not work properly and provides irrelevant and misguided information.

He maintained, "It's not a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene."

Responding to this issue, the NITB said that the app, which is created for the purpose of curbing the spread of coronavirus pandemic, use 'a very limited personal information' and does not show the ‘exact coordinates ‘ of the infected person.

“Instead it shows radius parameter that is fixed by default at 10 meters for self declared patients and 300 meters at a quarantine location. Hence, self declared patients have given their consent to reveal their coordinates for the safety of the citizens. Moreover, they have accepted our app privacy policy terms/conditions,” maintained NITB.

To the second issue raised by the social media user regarding hardcoded passwords, NITB said that there is no user login mechanism present in the app. “Therefore, use of login and passwords are not part of the app workflow.”

NITB elaborated that the screenshot mentioning hardcoded password is the defined keyword to give more security to auth-token endpoint, so that endpoint can only be used from mobile apps.

Earlier, a social media user highlighted this issue saying, "when you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890#. Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234#,".

The social media user further stated that the first request made by the app is an insecure request. "In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app."

To which the NITB responded that all its API communicates using HTTPS. “Hence security and protection of data of users as per international standards is of prime importance and implemented at the core.”

Comments

Comments are closed.