grandeduc - Fotolia

Home Office Brexit app contains multiple security flaws

The Home Office’s Brexit app may be putting EU citizens’ personal data at risk

The Home Office’s EU Exit: ID Document Check Android smartphone application, which enables European Union (EU) citizens to apply for Settled Status should the UK leave the EU, contains multiple cyber security flaws that put it at risk of malware attack, enabling hackers to steal passport information and biometric facial scans.

As per the Financial Times, which first reported the story, a number of problems with the Android version of the app, were identified by researchers from Norwegian security firm Promon, who tested its resilience against some of the most commonly-used attack methods.

“From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it,” said Promon chief technology officer Tom Lysemose Hansen.

“At this time of political uncertainty, the last thing that people who are applying to remain in the UK need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers.

“As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave, it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”

The app – which has been downloaded and used over a million times – was found to lack basic functionality that would prevent malware from reading and stealing sensitive information, including passport details and photo identification, and fails to use obfuscation, which can make the job of writing targeted malware harder for malicious actors.

It is also vulnerable to basic and generic spyware that could log what is typed into its text fields – such as addresses and phone numbers.

Read more about mobile app security

Other easily exploited vulnerabilities include the ability to modify or add malicious elements to the app, and then repackage and redistribute it without it noticing; a lack of resilience to code injections while it is running; no ability to tell if it is running in a hostile environment, such as on a rooted phone where the basic security architectures of Android are broken; and no ability to tell if an attacker is analysing it at runtime using debugging tools.

A Home Office spokesperson told Computer Weekly: “We take the security and protection of personal information extremely seriously. The EU Exit: ID Document Check app is regularly tested by independent security firms against all known and emerging threats and adheres to industry best practice on security, performance and accessibility.

“Over a million people have used the app safely and we continually review our systems to ensure that it is kept safe.”

It is understood that to date, no known breaches of the app have taken place using any of the methods tested by Promon. The app was also independently tested and verified by external cyber security firms, with the last such test taking place in September 2019, and remains in compliance with all security requirements for apps available on both the iOS and Android platform.

Nevertheless, Arxan EMEA vice-president Mark Noctor said it was “astounding” that the Home Office had apparently failed to recognise the importance of appropriately securing such an important app.

“We need to continuously reiterate that mobile apps need to be protected in order to stop these vulnerabilities,” he said. “This can be done by implementing an app security mindset so everyone who is part of the app process is responsible for securing their part of the process, as well as building in-app protection, including app shielding, encryption and threat analytics.

“This will help prevent attackers, stop them in their tracks, and alert the developer to any threats that may be present.”

Poor implementation

Synposys senior security strategist Jonathan Knudsen added: “The Home Office’s intention to replace a cumbersome paper application with a smartphone app is laudatory, but the implementation has fallen short. Perhaps a top-to-bottom security-forward reworking of this app would produce both the desired functionality as well as the necessary safety and security for such a sensitive app.

The cornerstone of real software engineering is a Secure Development Life Cycle, in which security is a primary consideration at every phase of design and implementation. Coupled with more testing and better testing, the SDLC is a process that helps organisations produce software that is safer, more secure, and more robust.”

Under the current situation, EU citizens have until 30 June 2021 to register for Settled Status in the UK, although this may well change subject to whether or not the UK does indeed leave the EU as per its revised departure date of 31 January 2020. There is also no obligation to use the app, as other means of applying exist.

Promon did not test the recently-released iOS version of the app for iPhones, which was only made available in October 2019 after a convoluted and at-times controversial delivery process.

Read more on Application security and coding requirements