27.2 C
Accra
Wednesday, November 6, 2024

[Opinion] GH COVID-19 Tracker App: Security Analysis – App Permissions

Must read

The launch of the GH COVID-19 Tracker app by the Government of Ghana has been met with much reactions from Ghanaians. Diverse views have been presented and the various social media platforms have been buzzing with GH COVID-19 Tracker app issues.

Whiles a section of Ghanaians sees the app as needless and useless, others see this as a tool by the government to track people needlessly. Another section also commends government for the efforts. But as professionals, we need to present our views within the remits of our profession to make users appreciate and form their own judgement.

Technically, the intention of an app can truly be determined by the developer because so many things are hidden from the user. The intention as detailed by the developer may be a deception in totality or some aspect hidden from the user. The intention can be genuine or malicious.

Again, the storage and access to the collected data is mostly hidden from the user and it is through complex technical analysis such as decompiling the APK or the app that can lead professionals to know or infer the intentions. As a security and privacy professional, I decided to take a look at the app and pass my professional comment.

I have read the terms and conditions from http://ghcovid19.com/installation_guide.pdf and as professional ethics demand, I did not decompile the APK but rather took the details of the installed app as shown below to do my analysis.

From the above figure, it means by design, the GH COVID-19 Tracker app can have access to the following on your device: Calendar, Camera, Contacts, Location, Microphone, Phone and Storage.

This means that the developers have designed the app so that it can HAVE ACCESS to the above resources on your mobile device. However, if the access is disabled, then it means that the app does not have access to that resource and therefore cannot use or manipulate it.

[This is debatable as some apps can covertly have access to some resources even though they do not have explicit access]
So, it can be technically concluded that the GH COVID19 Tracker app has been designed to have access to the resources listed above as shown in the above image. The access can be ALLOWED or DENIED by the user.

IMPLICATIONS

On Android, there are two types of permissions basically: Normal permissions that is, permissions that don’t pose much risk to the user’s privacy or the device’s operation. For example, access to the Internet. Dangerous permissions that is, permissions that could potentially affect the user’s privacy or the device’s normal operation.

For example, access to your location. This can be used to track your whereabout and can infringe your right to privacy. Now, what are the implications of granting permissions to these resources:

Calendar: The GH COVID19 Tracker app can have access to your Calendar schedules if granted the access and manipulate it.

Camera: The app can have access to your Camera. It can take pictures if granted the permission covertly without the user’s knowledge.

Contacts: The GH COVID19 Tracker app will have access to your contacts if granted the permission. It can manipulate your contacts on your phone.

Location: The app will have access to your location, GPS coordinates if granted the access leading to you being tracked by location

Microphone: The GH COVID19 Tracker app can record voice via the microphone or receive and process voice via the microphone when granted the permission.

Phone: The app can be used to make calls directly through the app if granted the permission to access the Phone.

Storage: The app can use and manipulate your storage; internal or external when granted the permission

Hence technically, the GH COVID19 Tracker app has been designed to have dangerous permissions once installed. The access to permissions that could potentially affect the user’s privacy or the device’s normal operation per se MAY NOT be an issue when handled professionally with the user being made aware of the process of collection, processing, storage and dissemination of their data.

With the stated objective to track, it is technically impossible if the user’s location is not collected. The permission to the Contact may be relevant in complex algorithm to help in the contact tracing efforts by the government.
However, will access to Calendar, Camera, Microphone, Phone and Storage be necessary? What is the intention?

GH COVID19 Tracker App Terms and Conditions: How it Works

When you start using GH COVID-19 Tracker App as a User, the App will collect certain health-related information about you, and other general information such as your name, phone number, gender, age, sex, risk factors, the region in which you live, or information about your existing health conditions, which may be helpful for the GoG to correctly provide you with any required help and advice.

Whilst using this App as a User, you will allow “GH COVID-19 Tracker” App to use your data but note that this data will only be used for the intended purpose. GoG may use the mobile number provided by you to contact you in case of possible infection.

Any personal information provided by you may also be shared with other necessary and relevant persons (if required) in order to carry out necessary administrative and medical interventions.
Source: http://ghcovid19.com/installation_guide.pdf

CONCERNS
The following are some few concerns I think we need to take a look at:

1. The personal and health data provided by a user to the GH COVID-19 Tracker may be helpful for the GoG to correctly provide you with any required help and advice. How the GoG will do this, is beyond the ordinary user. There are a lot of backend or behind the scene processing that can be deployed to achieve the GoG’s objectives. Will the government and its related partners use the data collected as indicated?

2. The app not deployed on Playstore or AppStore. These platforms screen apps for some basic and advanced security measures before they are hosted. They sweep and remove apps which do not comply with their security policies.

Although it is possible for apps not hosted on these platforms to be installed on your mobile device, Google and Apple do not encourage that and therefore are not responsible for any security issue that emerges after a user install such apps. As of the time of this write up, the very website where this app can be downloaded from is not secured. No SSL protection. This is a basic requirements and does not really cost much to implement. http://ghcovid19.com

3. The Data Protection Act, Act 843 mandates every entity that collect, process, store, or disseminates Ghanaian citizen’s personal data must be registered with the Ghana Data Protection Commission.

Are the companies involved, iQuent Technologies and Ascend Digital Technologies, duly registered with the GDPC and hence can be trusted to handle thousands of Ghanaians personal data?

My search conducted on the GDPC’s website shows none of these companies are registered as Data Processors https://registration.dataprotection.org.gh/search_register.php

Source: Emmanuel K. Gadasu
====================
[Information Security and Data Protection Practitioner]
CEH, CHFI, MSc Information Security*
Phone/WhatsApp: +233-24 391 3077
LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/
Facebook: https://web.facebook.com/emmanuel.gadasu
Twitter: @wahehejnr

DISCLAIMER:
This write up is based on my professional experience as information security and privacy professional and as a software developer. The presentation is based on my own professional judgement and is intended to educate people and also draw other professionals to join the debate for more education on the issues surrounding the GH COVID19 Tracker app. I analyzed the details of the app after installation and did not decompile the APK. My presentation is based purely on what the app reveals about itself after installation.

 

Disclaimer: The views/contents in this article are sole responsibility of the author(s) and not necessarily the views of Newswatchgh.comNewswatchgh.com is therefore not liable or responsible for any inaccuracies contained in this article.”

Reproduction is authorised if permission is granted by Newswatchgh.com

- Advertisement -spot_img

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest article

Share on Social Media
Skip to toolbar