Major Government Apps In Asia Leak Sensitive Data And Lack Basic Security

EGOV APPS ARE ON THE RISE – BUT HOW SECURE ARE THEY?

Mobile eGovernment (eGov) apps create a unique opportunity for governments to interact with their citizens and provide streamlined solutions for them – from eID’s and healthcare apps to tax services apps. eGovernment apps cover a wide range of services and can be highly beneficial for a country’s citizens.

But these apps can also contain a great deal of sensitive information that needs to be kept safe. When it comes to protecting user data, governments should lead by example and set the standard. If not implementing security mechanisms to protect against common attack methods, these apps ultimately put citizens’ data at risk.

Due to COVID-19, governments have accelerated the digitization of their citizen interactions by several years. And because of the rise in popularity of eGov apps in Asia and their rapidly increasing number of users, we wanted to analyse the top apps in this sector to assess for any major vulnerabilities and weak spots in the overall eGov app landscape.

Our mission was to find out if the apps have strong enough security mechanisms in place or if they contain vulnerabilities that could potentially jeopardise citizens’ data.

When governments fail to implement proper security for their apps, it opens up the app to be easily manipulated by malware or reverse-engineered by bad actors, potentially leading to account takeovers, data leakage, and fraud.

METHODOLOGY

As part of our analysis, we assessed 12 of the top Android and iOS mobile eGov apps in the Asia-Pacific (APAC) region. We believe that the selected apps provide a window into the security flaws most popular eGov apps in the APAC region contain.

Our chosen apps provide citizens with services such as access to health information including, electronic healthcare records, COVID-19 test results, and other personal digital services.

It is important to note that this research is not a comprehensive study. Our researchers conducted a security assessment using free and easily accessible tools. Still, we found vulnerabilities in most apps that raise concern, and further analysis could reveal even more weaknesses.

We conducted both static and dynamic analysis, as well as assessing whether any runtime security and anti-malware capabilities were in place.

Static analysis: In these types of attacks, malicious users attempt to decompile or disassemble the apps offline on a local device. During a static attack, an attacker may look at the app code and attempt to reverse engineer it to understand how the app functions. By doing this, they may find security vulnerabilities within the app or sensitive information to steal.

Runtime analysis: At runtime, the attacker can employ a variety of tools and techniques to analyse or modify the app. It is easier than ever before for an attacker to deploy various techniques like jailbreaking, rooting, hooking, and more in order to, for example, steal the app’s decryption keys, intercept communication to servers, and more.