The Hong Kong government has tried to convince concerned residents of the health app Leave Home Safe, but a 7ASecurity audit determined that the efforts were mostly untrustable.
LeaveHomeSafe says on its website that an audit in 2021 found only a low-priority vulnerability. To test the legitimacy of such a statement, 7ASecurity also audited the latest version of the app and found multiple security vulnerabilities.
Among the risks, the Polish cybersecurity firm found that LeaveHomeSafe could expose users to man-in-the-middle (MITM) attacks, which refers to when an attacker secretly intercepts and relayed messages between two parties who believe they are speaking directly with one another.
Information such as COVID vaccination and COVID test status images can be easily accessed with weak verification protection. One such example is when the app requires a Touch ID for a passcode to read the information, a person can simply browse through the settings and turn off the authentication feature.
7ASecurity commented, “The security audit demonstrated that these applications have not been professionally audited by any competent security firm before, and that significant flaws exist in the current software security development lifecycle.”
Previously, independent news agency FactWire discovered evidence of facial recognition features in the app after studying its source code. In response to this, the Hong Kong government said the developer had removed the function while avoiding disruption to the app’s normal operation.
This prompted 7ASecurity to also examine the source code of LeaveHomeSafe. Despite being the latest update on the audit timeline, the app still had traces of two facial recognition libraries, including Google Face Detector and React Native Face Detector.
The research stated, “Even though usage of these libraries could not be proven at runtime, the obvious question of why are these libraries present in the codebase? must be asked.”