🔎 I took a closer look at some #government #apps related to🦠#COVID19 that are just springing up like mushrooms. If you find an app/country missing in the [thread] below, please let me know!
#tracking #surveillance #appsec #Virucy

🇵🇱 Home Quarantine (Kwarantanna domowa): Can access 📸, phone/serial no., knows about the 📲 you placed or got etc.
Tracking with @Facebook Analytics, @Google @Firebase, @Microsoft @VSAppCenter Analytics.
play.google.com/store/apps/det…

Broadcast receivers exported. Possible SQL injections (CWE-89). Sensitive information stored in cleartext (CWE-312) and into Log Files (CWE-532). Using MD5 and Java Hash algorithm (CWE-327). Use of insufficiently Random Values (CWE-330). Insecure WebView implementation (CWE-749).

🇸🇬 TraceTogether: Can pair with any Bluetooth device around. Tracking with @Google @Firebase Analytics, @crashlytics, @snowplowdata.
"Once the outbreak is over [...] users will be updated on how to delete the data from their phones"
play.google.com/store/apps/det…
tracetogether.zendesk.com/hc/en-sg/artic…

Broadcast receivers exported. Possible SQL injections (CWE-89). Sensitive information logged (CWE-532). Using MD5, SHA-1 and Java Hash algorithm (CWE-327). Use of insufficiently Random Values (CWE-330). Remote WebView debugging (CWE-919).

🇮🇱 CoronApp: Can access contact data etc.
Tracking with @Google @Firebase, @GoogleAds, @crashlytics, #Doubleclick, @Pushwoosh.
play.google.com/store/apps/det…

Broadcast receivers, content provider exported. TaskAffinity set. Possible SQL injections (CWE-89). Cleartext storage of sensitive information (CWE-312), temp files (CWE-276), logging (CWE-532). Using MD5, SHA-1, Java Hash algorithm (CWE-327). Insuff. Random Values (CWE-330).

🇨🇴 CoronApp: Can call phone nos. without your intervention, access contact data etc.
❗️User login and account management over cleartext HTTP❗️
Tracking with @Facebook Analytics, #Login, #Share, @Google @Firebase, @googleanalytics, @crashlytics, #TagManager
play.google.com/store/apps/det…

Broadcast receivers, content provider exported. TaskAffinity set. Possible SQL injections (CWE-89). Cleartext storage/logging of sensitive information (CWE-312, -532). Using Java Hash algorithm (CWE-327). Insuff. Random Values (CWE-330). Insecure WebView implementation (CWE-749).

🇧🇷 Coronavírus - SUS: far from perfect, but quite solid.
Still broadcast receivers exported and logging (CWE-532).
Tracking with @googleanalytics and #TagManager though.
play.google.com/store/apps/det…

#Catalonia STOP COVID19 CAT: Can access phone/serial no., knows about the 📲 you placed or got etc.
Tracking with @Google @Firebase.
play.google.com/store/apps/det…

Broadcast receivers exported. Cleartext traffic. Possible SQL injections (CWE-89). Logging of sensitive information (CWE-532). Using SHA-1, Java Hash algorithm (CWE-327).

@apdcat @PDPCSingapore @UODOgov_pl @realdanstoller @LauKaya @NicholasVinocur @cobun @SamuelStolton @StevePeers @PrivacyMatters @marioseventysix @gabrielazanfir @montezumachavez @maxschrems @CathrinSchaer @jenvalentino @heisec @AndreasKrisch @alexanderhanff @gchampeau @satariano

🇺🇾 Coronavirus UY: Can access location in the background and modify the system's settings.
Tracking with @Google @Firebase and @onesignal.
Broadcast receivers and activity exported. Possible SQL injections (CWE-89).
play.google.com/store/apps/det…

Sensitive information stored in cleartext (CWE-312), temp and log files (CWE-276, -532). Insecure TLS Implementation, risk of MITM (CWE-295). Remote WebView debugging and user controlled code (CWE-919, -749). Using Java Hash algorithm (CWE-327). Insuff. random Values (CWE-330).

New #app out in 🇮🇱, המגן - #Hamagen ('The Shield') "that lets you know if you were near #Corona patients":
Can access location in the background and recognise physical activity.
Tracking w/ @Google @Firebase Analytics.
play.google.com/store/apps/det…

Broadcast receivers exported. Possible SQL injections (CWE-89). Cleartext storage/logging of sensitive information (CWE-312, -532). Using MD5, SHA-1, Java Hash algorithm (CWE-327) and insufficiently random values (CWE-330).

🇻🇳 NCOVI: Can call phone numbers without your intervention, take pictures/videos etc.
Tracking with @Mapbox.
Broadcast receivers exported. Writes to external storage (CWE-276). Logging sensitive information (CWE-532). Using Java Hash algorithm (CWE-327).
play.google.com/store/apps/det…

🇹🇭 AOT Airports: Can call phone numbers without your intervention, take pictures/videos etc.
Tracking with @Google @Firebase, @crashlytics, @Facebook Analytics, Login, @uxcam.
aot-app.kdlab.ai
See also, thailand-business-news.com/health/78399-t…

Broadcast receivers exported. Cleartext traffic. Debug enabled. Storing sensitive information (CWE-312), temp files (-276), logging (-532). Possible SQL injections (-89). Insecure WebView implementation+debugging (-749). MD5/SHA-1/Java Hash algorithm (-327). Random values (-330).

🇻🇳 COVID-19: Can take pictures/videos, download without notification, knows about the calls you placed or got, record audio, modify system settings, etc.
Tracking with @Google @Firebase, @Facebook Analytics, Login.
play.google.com/store/apps/det…

Broadcast receivers exported. Cleartext traffic, storage of sensitive information (CWE-312), temp files (CWE-276), logging (CWE-532). Possible SQL injections (CWE-89). Insecure WebView and TLS Implementation (CWE-749, -295). Using MD5, SHA-1, Java Hash algorithm (CWE-327).

🇪🇨 CovidEC: No common trackers 😇 Can access GPS location (like almost all analysed apps).
Some flaws though: Possible SQL injections (CWE-89). Logging (CWE-532). App copies data to clipboard. Using Java Hash algorithm (CWE-327).
play.google.com/store/apps/det…

🇨🇺 COVID-19-InfoCU: No common trackers 😇
Not much to flag, except an insecure WebView implementation (CWE-749).
sld.cu/noticia/2020/0…

🇦🇷 Covid-19 Ministerio de Salud: Can take pictures/videos, ❗️access all contact (address) data and calendar events❗️, record audio, knows about the calls you placed or got, install packages, change system settings etc.
play.google.com/store/apps/det…
Tracking: @Google @Firebase, [...]

[cont'd] @googleanalytics, @crashlytics, @GoogleAds, @Facebook Analytics,Login, @Amplitude_HQ
Broadcast receivers exported. Storing sensitive information (CWE-312), temp files (-276), logging (-532). Possible SQL injections (-89). Java Hash algorithm (-327). Random values (-330).

🇮🇳 (Punjab) Cova Punjab: Can access GPS location and read SD card (like almost all analysed apps).
Tracking with @Google @Firebase Analytics, @crashlytics.
play.google.com/store/apps/det…

Broadcast receivers exported. Cleartext traffic, storage of sensitive information (CWE-312), temp files (CWE-276), logging (CWE-532). Possible SQL injections (CWE-89). Using MD5, SHA-1, Java Hash algorithm (CWE-327). Insuff. random values (-330).

🇬🇹 Alerta Guate (thx for the hint @luisassardo): Can place calls, record audio, access location in the background etc.
Tracking with @Facebook Analytics, Login, @Google @Firebase. Developed by @get_intelligent.
play.google.com/store/apps/det…

Broadcast receivers exported. Cleartext traffic, storage of sensitive information (CWE-312), temp files (CWE-276), logging (CWE-532). Insecure WebView Implementation (CWE-749). Using MD5, Java Hash algorithm (CWE-327).

🇲🇽 (Pueblo) COVID PUEBLA: No common trackers 😇 Can access GPS location (like almost all analysed apps).
Storage of sensitive information (CWE-312), logging (CWE-532). Insuff. random values (-330). Using Java Hash algorithm (CWE-327). SSL pinning(?).
previenecovid19.puebla.gob.mx

🇨🇦 (British Columbia) BC COVID-19 Support (thx for the hint @montezumachavez): Can take pictures/videos, record audio etc.
Built with @getcapacitor.
Tracking with @Google @Firebase Analytics, @crashlytics, @branchmetrics.
play.google.com/store/apps/det…

"Personal health information is anonymized", see thrive.health/foippa
Broadcast receivers exported. Cleartext traffic, storage of sensitive information (CWE-312), temp files (CWE-276), logging (CWE-532). Using MD5, Java Hash algorithm (CWE-327).

🇮🇳 Corona Kavach: Can pair with any Bluetooth device around and make phone visible to others, knows about the calls you placed or got etc.
No common trackers 😇 though server connection/auth looks somewhat bizarre ...
play.google.com/store/apps/det…

Cleartext traffic, storage of sensitive information (CWE-312), logging (CWE-532). Possible SQL injections (CWE-89). Using Java Hash algorithm (CWE-327). SSL pinning(?).

🇮🇳 (K'taka Health Dept) Corona Watch: Knows about the calls you placed or got etc.
No common trackers, but ... user auth over cleartext❗️
play.google.com/store/apps/det…

Clear text traffic, storage of sensitive information (CWE-312), temp files (-276), logging (-532). Possible SQL injections (-89). Using Java Hash algorithm (-327). Insuff. random values (-330).

🇩🇪 Germany's Public Health Authority has released its smartwatch/#wearable app today:

https://twitter.com/PiracyByDesign/status/1247521169252560899