COVID-19 Alert SA

 

Security audit

Android v1.2.2

COVID-19 Alert SA

Marketing material

Rationale

COVID-19 Exposure Notifications

Works with a public health app

Opt-in system

Relies on people disclosing their COVID-19 status

If you've been exposed the app will notify you

Exposure Notifications

How it works

  • Random IDs are generated
  • Random ID changes every 10 - 20 minutes
  • IDs shared via Bluetooth
  • Bluetooth max range - 10 metres
  • The phone will store all the random IDs for 16 days

Self-disclosure

  • COVID-19 +
  • Enter unique PIN from Dept of Health
  • Date of Birth
  • Data is uploaded to a central server

Data Tracking

  • Date
  • Duration
  • Distance (measure strength of bluetooth signal)

Not allowed

  • Your location
  • The Exposure Notifications System (ENS) does not share your location or identity

Who can use ENS?

  • Only public health authorities
  • Must meet criteria around privacy, security and data use
  • What are these criteria?

Tracking vs Data Sharing

  • Indefinite tracking via phone number
  • MAC (hardware) address
  • Geolocation  - cellular triangulation

Just because GPS is not being used doesn't mean you are NOT being tracked!

Cell phone triangulation

https://4n6.com/cell-phone-triangulation/

Bluetooth mesh network

https://www.eenewseurope.com/news/multi-hop-mesh-network-tech-boosts-covid-19-contact-apps

Permissions

Internet Bluetooth

Permissions...

  • Access Network State
  • Allows the app to access info about the phone's network 

https://developer.android.com/reference/android/Manifest.permission#ACCESS_NETWORK_STATE

Permissions...

  • Wake lock screen
  • Prevents the phone from entering sleep mode

https://developer.android.com/reference/android/Manifest.permission#WAKE_LOCK

Permissions...

  • Receive boot completed
  • App autostarts when phone is restarted

https://developer.android.com/reference/android/Manifest.permission#RECEIVE_BOOT_COMPLETED

Permissions...

  • Foreground service
  • App runs as a priority app and not in background.

https://developer.android.com/reference/android/Manifest.permission#FOREGROUND_SERVICE

Sharing

Google Plus

WhatsApp

 

https://api.whatsapp.com/send?phone=

https://plus.google.com

Unsafe file delete

Expose sensitive information to a 3rd party that is not explicitly authorized to have access to that information.

 

There is a bug that leaves behind photos taken and shared even after the chat are deleted on some apps.

 

Access to all applications installed on the Android device.

HIGH

Prevent screenshots & screensharing

MEDIUM

  • Any element on the screen that is not part of an app.
  • Exploits in the SystemUI in Android 
  • Allows attackers to read screenshots

No blurring for apps in background

MEDIUM

  • Data can leak through screenshots taken by the user or cached
  • Blurring used to obscure screenshots or block the device’s screenshots
  • Prevent sensitive mobile data from being exposed.

https://cwe.mitre.org/data/definitions/200.html

Data storage on device

LOW

  • The app uses a vulnerable SQLite database
  • Store sensitive info in plain text on the phone
  • Should be encrypted
  • Need physical access to device / root access

Security flaws

HIGH

  • Part of the app is available to other apps
  • No restrictions
  • Any app will be able to launch the activity.
  • Malicious app can gain access to sensitive information
<activity
            android:name="za.gov.health.covidconnect.home.ExposureNotificationActivity"
            android:exported="true"
            android:clearTaskOnLaunch="true"
            android:launchMode="2">

            <intent-filter>

                <action
                    android:name="android.intent.action.MAIN" />

Security flaws

MEDIUM

  • Debugging Information provided for
  • Debugging helps developers write code
  • Can inject our own code to run in the vulnerable app process.

Security flaws

MEDIUM

  • Missing native [C, C++] code.
  • The app can be decompiled using Reverse Code Engineering
  • Extract source code from the Android Package File (APK)

It gets better

EEK

Gets geolocation:

 

https://developer.android.com/reference/android/location/LocationManager

This class provides access to the system location services. These services allow applications to obtain periodic updates of the device's geographical location, or to be notified when the device enters the proximity of a given geographical location.

LOCATION

getLastKnownLocation()

https://developer.android.com/reference/android/location/LocationManager

iget-object v5, v1, 
  Lb/b/k/t;->b:Landroid/location/LocationManager;

invoke-virtual {v5, v3}, 
Landroid/location/LocationManager;->getLastKnownLocation(Ljava/lang/String;)Landroid/location/Location;

small/out/b/b/k/k$h.smali

It gets better...

getNetworkCountryIso()

https://developer.android.com/reference/android/telephony/TelephonyManager#getNetworkCountryIso()

Returns the ISO-3166-1 alpha-2 country code equivalent of the MCC (Mobile Country Code) of the current registered operator or the cell nearby.

ISO 3166-2:ZA

Country ISO

getNetworkCountryIso()

https://developer.android.com/reference/android/telephony/TelephonyManager#getNetworkCountryIso()

iget-object v0, p0, 
Le/a/a/a/f/c0;->a:Landroid/telephony/TelephonyManager;

invoke-virtual {v0}, 
Landroid/telephony/TelephonyManager;->getNetworkCountryIso()Ljava/lang/String;

small/out/e/a/a/a/f/c0.smali

It gets better...

Java reflection

https://docs.oracle.com/javase/8/docs/api/java/lang/reflect/Method.html

This is a feature of the code that allows the the software to examine itself and manipulate internal properties of the app

In general, this is usually a bad idea, for reasons of performance, clarity, and robustness.

 

Reflection

Takeways

  • Location tracking doesn't need GPS
  • Data storage is insecure
  • Data is uploaded to a server
  • Battery life of the phone impaired
  • Android exploits make app insecure

COVID-19 Alert SA Security Audit

By louisnelza

COVID-19 Alert SA Security Audit

A deep dive into the source code of the Android COVID-19 Alert app

  • 611
Loading comments...