The National Information Technology Board (NITB) has responded to the issues highlighted by a social media user pertaining to the recently launched COVID-19 Gov PK mobile app.
A statement issued by NITB’s CEO Shabahat Ali Shah said that the user has highlighted a number of issues pertaining to the app including privacy issues, hardcoded passwords and insecure connections.
The development comes after a social media user, who analyzed the app in detail, uncovered various privacy concerns and security vulnerabilities. The user stated that the official mobile application does not work properly and provides irrelevant and misguided information.
He maintained, "It's not a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene."
Responding to this issue, the NITB said that the app, which is created for the purpose of curbing the spread of coronavirus pandemic, use 'a very limited personal information' and does not show the ‘exact coordinates ‘ of the infected person.
“Instead it shows radius parameter that is fixed by default at 10 meters for self declared patients and 300 meters at a quarantine location. Hence, self declared patients have given their consent to reveal their coordinates for the safety of the citizens. Moreover, they have accepted our app privacy policy terms/conditions,” maintained NITB.
To the second issue raised by the social media user regarding hardcoded passwords, NITB said that there is no user login mechanism present in the app. “Therefore, use of login and passwords are not part of the app workflow.”
NITB elaborated that the screenshot mentioning hardcoded password is the defined keyword to give more security to auth-token endpoint, so that endpoint can only be used from mobile apps.
Earlier, a social media user highlighted this issue saying, "when you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890#. Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234#,".
The social media user further stated that the first request made by the app is an insecure request. "In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app."
To which the NITB responded that all its API communicates using HTTPS. “Hence security and protection of data of users as per international standards is of prime importance and implemented at the core.”