Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked
'Unnecessary scaremongering' but still some work to be done
Reports that the Home Office's Brexit app contains "serious vulnerabilities" that could expose the phone numbers, addresses and passport details of EU citizens are overblown, say security experts.
To date, one million EU nationals have downloaded the Android settled status app, which asks users to take a selfie and scans the chip in their passports in order to verify their identity.
The Financial Times today splashed with the headline "Home Office app for EU citizens easy to hack" based on a report by Norwegian security firm Promon. The company's researchers found the app contains loopholes allowing them to access any information that was entered into it, including the facial scans and images of passport pages.
However, the Promon team did not reveal a specific vulnerability. Instead they tested the app's resilience against basic and commonly used attack methods and tools, and themselves noted these "often require very limited technical skills to use".
David Lodge, from Pen Test Partners, said of the research: "All their findings are what we would recommend for a mobile app to have to follow best practices. That is security measures that could be applied to improve the security of the app. These are controls like the app detecting whether the phone has been rooted.
"To exploit anything with what they've listed would require a complicated setup or a device that has already been compromised."
Promon found the "ID Document Check Android" app lacked functionality to "prevent" malware from reading and stealing sensitive information provided by users, including passport details and photo IDs. They also noted that "attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements".
The firm added the app is not:
- resilient against code being injected while the app is running
- capable of noticing whether it is being used in a hostile environment, in which the basic security architectures of Android have been broken (for example, a rooted phone).
They also said that it is possible for hackers to log what is typed into the app's text fields, meaning that codes and passwords can be stolen.
But computer security experts remain sceptical about the headline claims.
Professor Alan Woodward, of the Department of Computer Science at the University of Surrey, said: "What the story effectively says is that if your device is compromised then a hacker can read what is input to the app. It's almost a tautology. Of course, if your device is compromised someone could put something as simple as a keylogger on your device and see what you're inputting.
"What this does not mean is that there is some dreadful flaw in the the app itself. It would probably apply to many apps you 'tested'.
"If the database were compromised, that would be another matter, but that's not what they say. They specifically say the app is vulnerable, but it's a bit disingenuous to phrase it in that way: if your device is vulnerable, so are most of your apps.
"It really doesn't help the cause of those of us trying to educate the wider public about cybersecurity when this kind of story is given star billing.
"I've already seen it retweeted by many who have taken the headline at face value, and that is unnecessary scaremongering. As far as I am aware, the app isn't particularly vulnerable. If you practice good security hygiene on your device, you should be fine using the app."
Paul Moore, information security consultant, agreed there is reason to treat the headline claims with some caution. "It relies on the user's device being compromised another way (malware etc), so it's certainly not an immediate risk. However, given the risks are well understood and the remedies fairly easy to implement, there's almost no excuse not to.
"For example, the same would apply to any banking app, but you would hope we would hold them to a higher standard. My initial thoughts aligned with Alan's to begin with, but in this case, it would be quicker to implement any fixes than deal with the inevitable fallout if the worst should happen."
A Home Office spokesperson said: "We take the security and protection of personal information extremely seriously.
"The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility. Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."
Maike Bohn, a co-founder of EU citizen campaign group the3million, said: "We are expecting the government to do more than issuing a statement that it takes security very seriously.
"For many EU citizens, trust in the Home Office is already very low and we fear that many concerned will not apply now – reducing the already limited time available to secure their status before the end of the deadline." ®