1/ Yesterday night, I analysed "COVID-19 Gov PK", the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, ... nothing is ok with this app.
Want to see this horror? Follow me ⬇️
2/ This app, made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times.
3/ It's NOT a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene (wut?).
4/ When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890#
5/ Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234#
6/ The 1st request made by the app is, ofc, an insecure request
7/ In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app 🤦♂️
Sick people deserve privacy
8/8 To sum-up, in "COVID-19 Gov PK" we found:
- hardcoded passwords
- insecure requests
- privacy issue
Thanks for the good laugh, you are the worst #Covid19 app I analysed
In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account.