AIRLINK 74.85 Increased By ▲ 0.56 (0.75%)
BOP 4.98 Increased By ▲ 0.03 (0.61%)
CNERGY 4.49 Increased By ▲ 0.12 (2.75%)
DFML 40.00 Increased By ▲ 1.20 (3.09%)
DGKC 86.35 Increased By ▲ 1.53 (1.8%)
FCCL 21.36 Increased By ▲ 0.15 (0.71%)
FFBL 33.85 Decreased By ▼ -0.27 (-0.79%)
FFL 9.72 Increased By ▲ 0.02 (0.21%)
GGL 10.45 Increased By ▲ 0.03 (0.29%)
HBL 112.74 Decreased By ▼ -0.26 (-0.23%)
HUBC 137.44 Increased By ▲ 1.24 (0.91%)
HUMNL 11.42 Decreased By ▼ -0.48 (-4.03%)
KEL 5.28 Increased By ▲ 0.57 (12.1%)
KOSM 4.63 Increased By ▲ 0.19 (4.28%)
MLCF 37.80 Increased By ▲ 0.15 (0.4%)
OGDC 139.50 Increased By ▲ 3.30 (2.42%)
PAEL 25.61 Increased By ▲ 0.51 (2.03%)
PIAA 20.68 Increased By ▲ 1.44 (7.48%)
PIBTL 6.80 Increased By ▲ 0.09 (1.34%)
PPL 122.20 Increased By ▲ 0.10 (0.08%)
PRL 26.58 Decreased By ▼ -0.07 (-0.26%)
PTC 14.05 Increased By ▲ 0.12 (0.86%)
SEARL 58.98 Increased By ▲ 1.76 (3.08%)
SNGP 68.95 Increased By ▲ 1.35 (2%)
SSGC 10.30 Increased By ▲ 0.05 (0.49%)
TELE 8.38 Decreased By ▼ -0.02 (-0.24%)
TPLP 11.06 Decreased By ▼ -0.07 (-0.63%)
TRG 64.19 Increased By ▲ 1.38 (2.2%)
UNITY 26.55 Increased By ▲ 0.05 (0.19%)
WTL 1.45 Increased By ▲ 0.10 (7.41%)
BR100 7,841 Increased By 30.9 (0.4%)
BR30 25,465 Increased By 315.4 (1.25%)
KSE100 75,114 Increased By 157.8 (0.21%)
KSE30 24,114 Increased By 30.8 (0.13%)
Pakistan

NITB rejects errors, privacy issues pertaining govt’s COVID-19 App

  • A statement issued by NITB’s CEO Shabahat Ali Shah said that the user has highlighted a number of issues pertaining to the app including privacy issues, hardcoded passwords, and insecure connections.
Published June 10, 2020

The National Information Technology Board (NITB) has responded to the issues highlighted by a social media user pertaining to the recently launched COVID-19 Gov PK mobile app.

A statement issued by NITB’s CEO Shabahat Ali Shah said that the user has highlighted a number of issues pertaining to the app including privacy issues, hardcoded passwords and insecure connections.

The development comes after a social media user, who analyzed the app in detail, uncovered various privacy concerns and security vulnerabilities. The user stated that the official mobile application does not work properly and provides irrelevant and misguided information.

He maintained, "It's not a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene."

Responding to this issue, the NITB said that the app, which is created for the purpose of curbing the spread of coronavirus pandemic, use 'a very limited personal information' and does not show the ‘exact coordinates ‘ of the infected person.

“Instead it shows radius parameter that is fixed by default at 10 meters for self declared patients and 300 meters at a quarantine location. Hence, self declared patients have given their consent to reveal their coordinates for the safety of the citizens. Moreover, they have accepted our app privacy policy terms/conditions,” maintained NITB.

To the second issue raised by the social media user regarding hardcoded passwords, NITB said that there is no user login mechanism present in the app. “Therefore, use of login and passwords are not part of the app workflow.”

NITB elaborated that the screenshot mentioning hardcoded password is the defined keyword to give more security to auth-token endpoint, so that endpoint can only be used from mobile apps.

Earlier, a social media user highlighted this issue saying, "when you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890#. Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234#,".

The social media user further stated that the first request made by the app is an insecure request. "In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app."

To which the NITB responded that all its API communicates using HTTPS. “Hence security and protection of data of users as per international standards is of prime importance and implemented at the core.”

Comments

Comments are closed.