top of page

The Top Privacy Security Risks COVID-19 Passport Apps Pose to Users

Updated: May 16, 2023

The Top Privacy Security Risks COVID-19 Passport Apps Pose to Users

As the world gets used to living in a post-pandemic state, newer risks are emerging from mechanisms that are helping people live and move around in the new normal.

A recent report by Symantec shows that about two-thirds of digital vaccination applications have vulnerabilities that can be exploited and place users’ private data at risk.

These applications now serve as digital passports or safe passes and collect data from large populations worldwide, providing a huge target population for hackers.

How digital passports work

Digital passports hold proof of your COVID-19 vaccination status and personally identifiable information like your full name, ID number, date of birth, etc. The information is then encoded in a QR code or displayed in the app directly.

You then show this information at travel points or when accessing areas considered to have a high risk of viral transmission.

Governments' IT and health arms usually issue digital passports, but contracted mobile software developers develop them. In the Symantec report, 40 such passports and ten validation/scanner applications were examined, and 27 were found to be susceptible to several privacy risks.

The prevalent privacy risks

First, there is the issue of using encoding instead of encryption. Many of the applications generate QR codes that are encoded and not encrypted, meaning they only convert data into a digital format that is easy to scan.

Thus, anyone with a QR scanner at the checkpoint can decode this code and access sensitive personal information. With encryption, data is changed in an unreadable form, and only the authorized entities who have the key can decipher it and access the information.

The second issue is with cloud storage services. In 38 % of the cases, the report found that health data was transmitted from cloud services that did not have an HTTPS connection making them susceptible to man-in-the-middle attacks.

The third issue is with the permissions these apps require especially android storage permission. Such permission gives the app unconditional access to the local files in the device, and it was an issue that affected 17 of the 40 apps evaluated.

Other significant privacy risks are the absence of an SSL CA validation and the hard-coded cloud service credentials.

How to minimize the risks

As a user, you can mitigate these risks first by avoiding apps from obscure and nondescript vendors and only using those on platforms like Apple Health and Google Wallet, which have a rigorous vetting process.

You should also hold back on granting all the requested permissions, especially those that are suspicious and do not affect the app’s primary function.

bottom of page