Symantec is reporting that two-thirds of the digital vaccine apps they analyzed exhibited risky behavior.

Governments have been requiring people to carry so-called “digital passport apps” that store proof of a person’s COVID-19 vaccination status. The apps store a person’s full name, ID number, date of birth, and other (PII) either encoded in a QR code or displayed in the app. Symantec studied 40 vaccine passport and ten validation (scanner) apps and found that 27 of them suffered from the following security risks:

Threat                                                    App count        App percentage

Accesses External Storage                           17                          43%

Disables SSL CA Validation                           2                            5%

Does Not Require HTTPS                              15                          38%

Sends Data Unencrypted                              2                            5%

Uses Amazon Hardcoded Credentials       1                            3%

Grand Total                                                   27                          68%

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Nasser Fattah
Nasser Fattah , Executive Advisor
InfoSec Expert
March 9, 2022 12:47 pm

When I read such insecure stats on applications, it reminds me of \”security by design\” and secure coding – which both are cultural shifts for organizations that have yet to embark on these important application development tenets. Not to mention, these applications are storing and transmitting sensitive information via the Internet. Additionally, the opportunity to have clear, appropriate application security requirements, including best practices, defined during development, and definitely tested, prior to going live. The findings identified are application security best practices.

Last edited 8 months ago by Nasser Fattah
Sanjay Raja
Sanjay Raja , VP of Products and Solutions
InfoSec Expert
March 9, 2022 12:41 pm

These are very dangerous and easily exploitable targets for threat actors. A major challenge for security teams is that attacks that leverage these potential areas of risk are extremely difficult to identify by current EDR, XDR and traditional SIEM tools. Detection of associated campaigns requires a broad set of behavioral models that are necessary to identify the type of abnormal and malicious activities used for such attacks. Another critical factor is attackers will employ techniques to exploit these risks across long periods of time and vary their techniques across this period to evade the rudimentary rule-based artificial intelligence and machine learning models built into most solutions.

Organizations need to invest in more advanced analytics that employ continuously self-training machine learning models to identify new campaigns and variants. Open and transparent models are important for security teams to validate and make sure that they are looking for these types of threats specifically.

Last edited 8 months ago by Sanjay Raja
David Stewart
InfoSec Expert
March 9, 2022 12:39 pm

The Symantec report is another timely reminder of the importance of securing sensitive data at rest and in transit within mobile apps and the APIs that service them. In the understandable rush to provide time critical mobile-centric healthcare services, it is vital that developers and deployers ensure that industry best practice is followed. Engaging with pentesting and specialist security service providers early in the platform development cycle would prevent many if not all of the reported issues from ever occurring.

Last edited 8 months ago by David Stewart
Would love your thoughts, please comment.x