Elliot Anderson, a cyber security expert, posted a series of tweets about the major loopholes in the COVID-19 application that was designed by Ministry of Information Technology in collaboration with Telecom with National Information Technology Board. “Yesterday night, I analysed COVID-19 Gov PK. [There are] hardcoded passwords, insecure connections, privacy issues. Nothing is okay with this application,” he said.
https://twitter.com/fs0c131y/status/1270260361225265153?s=20
He said that the application can’t be used for ‘contact tracing’. “When you open the app, it asks a token to the Pakistan government server with hardcoded credentials: CovidAppUser / CovidApi!@#890#. Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded credentials: ApiUser / ApiUser@1234#,” the cyber security expert said.
He added that in the ‘Radius Alert’ tab, the user can get a map of infected people through which the exact coordinates of infected people are downloaded by the application. He termed it a violation of infected patient’s privacy.
https://twitter.com/fs0c131y/status/1270267441361362945?s=20
While concluding his review, he said: “To sum-up, in COVID-19 Gov PK, we found: hardcoded passwords, insecure requests, privacy issue.” He went on to call the application ‘worst’.