Symantec is reporting that two-thirds of the digital vaccine apps they analyzed exhibited risky behavior.
Governments have been requiring people to carry so-called “digital passport apps” that store proof of a person’s COVID-19 vaccination status. The apps store a person’s full name, ID number, date of birth, and other (PII) either encoded in a QR code or displayed in the app. Symantec studied 40 vaccine passport and ten validation (scanner) apps and found that 27 of them suffered from the following security risks:
Threat App count App percentage
Accesses External Storage 17 43%
Disables SSL CA Validation 2 5%
Does Not Require HTTPS 15 38%
Sends Data Unencrypted 2 5%
Uses Amazon Hardcoded Credentials 1 3%
Grand Total 27 68%
