Symantec is reporting that two-thirds of the digital vaccine apps they analyzed exhibited risky behavior.
Governments have been requiring people to carry so-called “digital passport apps” that store proof of a person’s COVID-19 vaccination status. The apps store a person’s full name, ID number, date of birth, and other (PII) either encoded in a QR code or displayed in the app. Symantec studied 40 vaccine passport and ten validation (scanner) apps and found that 27 of them suffered from the following security risks:
Threat App count App percentage
Accesses External Storage 17 43%
Disables SSL CA Validation 2 5%
Does Not Require HTTPS 15 38%
Sends Data Unencrypted 2 5%
Uses Amazon Hardcoded Credentials 1 3%
Grand Total 27 68%
When I read such insecure stats on applications, it reminds me of \”security by design\” and secure coding – which both are cultural shifts for organizations that have yet to embark on these important application development tenets. Not to mention, these applications are storing and transmitting sensitive information via the Internet. Additionally, the opportunity to have clear, appropriate application security requirements, including best practices, defined during development, and definitely tested, prior to going live. The findings identified are application security best practices.
These are very dangerous and easily exploitable targets for threat actors. A major challenge for security teams is that attacks that leverage these potential areas of risk are extremely difficult to identify by current EDR, XDR and traditional SIEM tools. Detection of associated campaigns requires a broad set of behavioral models that are necessary to identify the type of abnormal and malicious activities used for such attacks. Another critical factor is attackers will employ techniques to exploit these risks across long periods of time and vary their techniques across this period to evade the rudimentary rule-based artificial intelligence and machine learning models built into most solutions.
Organizations need to invest in more advanced analytics that employ continuously self-training machine learning models to identify new campaigns and variants. Open and transparent models are important for security teams to validate and make sure that they are looking for these types of threats specifically.
The Symantec report is another timely reminder of the importance of securing sensitive data at rest and in transit within mobile apps and the APIs that service them. In the understandable rush to provide time critical mobile-centric healthcare services, it is vital that developers and deployers ensure that industry best practice is followed. Engaging with pentesting and specialist security service providers early in the platform development cycle would prevent many if not all of the reported issues from ever occurring.