(Bloomberg) — Hong Kong’s government has rejected a cybersecurity firm’s claim that flaws in the city’s Covid-19 tracing app could expose sensitive user information, saying there have been no incidents of data leakage.
The city’s government was responding to a security audit of the LeaveHomeSafe app published by Polish cybersecurity firm 7ASecurity, which said it detected vulnerabilities in the software that could allow hackers to access ID numbers, visit records or vaccination and testing information.
The audit, conducted in April and May through reverse engineering, found “significant flaws” in the software security, including three that were designated critical or severe, the firm said in a report published Wednesday. In response, the government said there had never been security or privacy incidents related to the LeaveHomeSafe app, which has undergone third-party assessments.
Facial recognition capabilities identified in the report had already been removed from the app, it added. The government “regrets and firmly opposes the inaccurate report and unfair allegations,” the city’s chief information office said in an online statement.
Researchers from 7ASecurity said they shared their work, funded by the US non-profit Open Technology Fund, in June with the app’s developer, Hong Kong-based Cherrypicks, a subsidiary of Netdragon Websoft Holdings Ltd. Cherrypicks didn’t respond to a request for comment.
Constant Challenge
Mistrust around the contact tracing app has become a persistent challenge for the Hong Kong government since its rollout in 2020. That has only increased after LeaveHomeSafe became a necessity for checking into most venues, as the primary way to prove users’ vaccination status.
While officials maintain that visit and vaccination records on the app are encrypted and stored only on the user’s device, many remain unconvinced. The city has grappled with low levels of public trust in the wake of the 2019 pro-democracy protests and harsh Covid containment measures.
Health secretary Lo Chung-mau indicated this month that the app may soon require real-name registration, akin to the equivalent app in mainland China. Other officials later walked back those comments.
Privacy advocates have called on the government to publish the source code for the app to assuage privacy concerns, said Edmon Chung, who serves on the board of directors for the non-profit Internet Society of Hong Kong.
“Without it being an open-source app, we can’t see,” he said. “While there are no immediate breaches of privacy, it remains a potential of breach both through abuse by the government as well as security compromise.”
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
