I've had a look at France's #StopCovid application sources. The server is coded with Java/Spring Boot so I was happy to find my favorite tech stack here! Then I became quickly disappointed ⬇️
Our minister @cedric_o said that the data was stored in France's "most secured file of the Republic". I have designed and worked on many applications for the French state (healthcare, central bank, etc) so I was expecting something... different
As you can see in the source code at gitlab.inria.fr/stopcovid19/ro… this is in fact a Spring Boot application that stores the data in a MongoDB server. It's basically storing a key per user, as well as its associated contacts.
So in fact, all the data from everybody is in the same MongoDB database. I don't see anything specific to secure it (like SSL connection in the database client). And unless the governement pays for the enterprise version, the data isn't encrypted at rest.
Using MongoDB means the backups are simply disk snapshots, who knows where those snapshots are stored?
For Spring Boot: I don't see anything to monitor it (like Spring Boot Actuator), so I'm guessing they monitor this using a Java agent -> all the data is therefore leaking to whatever monitoring solution they have, including the personal keys.
It would be trivial to get people's IPs when they connect, and then map all of the population contacts. In fact, you just need to turn on the Spring Boot logs, and as you can configure them from outside of the application, maybe it's already the case.
In fact, they probably did turn those logs on in order to protect the application from DDOS attacks. That's what they currently do for our official COVID form at media.interieur.gouv.fr/deplacement-co… using Incapsula, another third-party (from the US).
In a nutshell, I was expecting the "most secured file of the Republic" would be something different. I'm definitely not putting my personal data in there.
Thank you for all the comments. I’ve done a new thread today with more information ➡️
