An app developed by the Home Office to help EU nationals apply to live in the UK post-Brexit can be exploited by hackers to steal sensitive data.
Flaws in the 'EU Exit: ID document check' app could allow an attacker to take control of the app or get a glimpse of the information being entered into it in real-time, including a copy of the applicant's passport, according to cyber security firm Promon.
The app was developed last year to replace the previous laborious 85-page process that EU nationals would have had to undergo to apply for residency in the UK.
When downloaded, users can submit scans of their passports to the Home Office, and the app checks whether these are valid by reading the biometric chip.
The app also holds details like names, addresses, and telephone numbers, and verifies identity via facial recognition.
All this information is vulnerable, according to the researchers, who did not reveal specific vulnerabilities in the app, rather they tested its resilience against basic and commonly used attack methods and tools.
"The tools we used are typically very easily accessible and require very little technical skill to use. It means any type of bad actor could perform this attack, without sophisticated technical knowledge," Promon CTO Tom Lysemose Hansen told the Financial Times (FT)
"There is very little the end user can do, since this is a government app. There is a lot of responsibility on the app makers to provide security measures here, because of this level of trust. Very personal and sensitive information is being handled, and millions of people are using it so you would expect stringent protection measures, similar to banking apps."
The researchers learned they were able to take control of the app and access information that was entered, including images of passports and facial scans. They could also spy on information as it was being entered, such as user passwords, and were able to alter data too.
A Promon spokesperson told IT Pro that in worst-case scenarios, where malware has been launched and distributed, attackers can modify or add malicious elements to the app, repackage and redistribute the app, without the app noticing any changes.
This is because the app lacks basic safeguards that prevent it from reading and stealing sensitive information – which also allows vulnerable code being injected into it while it's running.
Leveraging advanced analytics to detect user security threats
Deliver a unified, contextual, and secure digital workspace
Moreover, the app isn't capable of noticing whether it's being used in a hostile environment, and cannot detect if an attacker is analysing the app while it's running.
Several of these attack scenarios can be carried out on both rooted and non-rooted devices, the spokesperson added, although there has been no evidence of attacks yet occurring.
The facial recognition functionality, meanwhile, has been provided by the Home Office's supplier iProov, which involves matching a user's selfie against the image read from their passport chip.
The Home Office previously ran into problems with its app last year after it emerged that the software wasn't compatible with iOS. Promon researchers only examined the Android version of the app, although it's now operational on Apple's operating system too.
"We take the security and protection of personal information extremely seriously," a Home Office spokesperson said.
"The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility. Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe."
The Home Office added there have been no known security breaches of the app to date, and that the last external security review took place as recently as September 2019.
