Independent audit of Hong Kong COVID tracking system discloses vulnerabilities

Review of ‘Leave Home Safe’ apps finds that confidential communications aren’t always secure.

UPDATED at 1:22 P.M. EST on 2022-08-01

An independent audit of the Hong Kong government’s digital COVID-19 contact-tracing apps found significant security issues with the software but said the flaws weren’t necessarily intentionally added to allow for unauthorized tracking.

The “Leave Home Safe” mobile apps became available for download in November 2020, allowing users to scan a QR code at more than 9,000 locations in Hong Kong, including both public and private venues, and on identification labels in 18,000 taxis to record their movements.

The apps also notified users if a person confirmed with contagious respiratory virus had recently visited those places.

7ASecurity, a Poland-based computer network security and testing firm, conducted a privacy and a security audit of the Leave Home Safe Android and iOS apps in April and May on behalf of the Hong Kong Democracy Council (HKDC).

Its work was funded by the Open Technology Fund (OTF), a U.S. nonprofit that supports global internet freedom technologies and, like Radio Free Asia, is part of the United States Agency for Global Media, an independent agency of the U.S. government that broadcasts news and information in 63 languages.

The parties issued the 55-page report on Wednesday.

When the Hong Kong government rolled out the apps, people there raised concern about potential security and privacy risks that they could introduce. Some feared the apps would be used to control Hongkongers amid a citywide crackdown on public protest and dissent over China's aggressive policies in the special administrative region, according to a previous report by RFA.

Less than half a million downloads of apps occurred during the first two weeks due in part to privacy concerns among city's roughly 7.5 million people, and many acquired a second mobile device to avoid having sensitive content on the same phone, OTF said in an announcement on its website.

As of Nov. 1, 2021, the Chinese government made use of the apps mandatory for anyone entering government-run buildings, including courts, swimming pools, public markets, hospitals, shopping malls and places of worship. The apps recently began requesting real name registration and tracking users’ movements.

The goal of the audit was to have an independent third party verify whether the official Leave Home Safe privacy and security claims are accurate.

On Wednesday, OTF issued 7ASecurity’s report on the audit results with 12 findings, eight of which are classified as security vulnerabilities and four as general weaknesses with lower exploitation potential. Three of these findings had an estimated severity level of high or critical.

“While no clear privacy violation could be conclusively proven during the audit at runtime, a number of application artifacts, likely inherited from underlying dependencies or simply security vulnerabilities introduced by mistake, were found during this exercise,” the report says.

The privacy audit could not conclusively prove malicious intent or unauthorized tracking of Hongkongers, it says.

One of the identified vulnerabilities was that the Android app failed to validate certificates that secure internet connections by encrypting data sent between a browser, website and website server, allowing communications between two parties to be intercepted by a malicious user without any user warnings.

7ASecurity also found that the Android app stores COVID vaccination and test status images in the mobile device’s Secure Digital (SD) memory storage cards when users try to import such QR Codes from safer locations, such as Google Drive. Android SD Cards are inappropriate locations for sensitive data because thieves can remove them and plug them into a computer to read the data.

Additionally, the audit determined that the Leave Home Safe Android app uses several cryptographic functions with known security weaknesses, either directly or through inherited libraries.

The iOS app does not implement available Data Protection features in iOS, so that most files have a default encryption that keeps the decryption key in memory while the device is locked — the least secure form of data protection available on iOS, according to the security auditors. A malicious attacker with physical access to the device could use it to read the decryption key from memory and gain access to local app data files, without needing to unlock the device, they said.

7ASecurity’s test team experienced several significant limitations during the audit, according to the report.

“The application could not be exercised fully at runtime due to a lack of Hong Kong health code system credentials, valid Hong Kong COVID vaccination QR codes, and valid Hong Kong COVID test QR codes,” the report said. “It is possible that additional vulnerabilities are present in the functional areas that could not be explored during this engagement.”

"This poor result strongly suggests that the Leave Home Safe mobile apps have not been audited by any competent security firm previously," 7ASecurity said in the report. "This is in stark contrast to the documentation in the official Leave Home Safe website, which indicates the mobile applications were audited previously on December 10th 2021, and only a single 'low' priority issue was identified."

7ASecurity recommended that the issues raised in the report be addressed to strengthen the security aspects of the Leave Home Safe platform, and that a thorough review, including a full code audit, be conducted. The firm also suggested regular testing of the platform at least once a year or when substantial changes are to be deployed, to ensure new features do not introduce security vulnerabilities.

Hong Kong's government issued a statement on Thursday which claimed that there “has never been any security or privacy-related incidents” in connection with its COVID-19 contact-tracing apps and dismissing what it called "inaccurate reports and unfair allegations" in 7ASecurity's findings.

RFA previously reported on Hong Kong police in Hong Kong investigating the origins of a fake app after the government made the Leave Home Safe app compulsory for those entering government-run facilities.

CORRECTION: An earlier version of the article incorrectly referred to OTF as OTC and attributed a quote to OTF's announcement instead of 7ASecurity's report. Clarifies that 7ASecurity's test team experienced several limitations during the audit and adds quote from the report. Adds information that the audit was conducted by the Hong Kong Democracy Council (HKDC).

Updated to include Hong Kong government reaction.