A Home Office app intended for EU citizens to apply for UK residency lacks basic security, potentially exposing the passport and biometric information of over one million users, according to experts.
Norwegian security firm Promon tested the EU Exit: ID Document Check application against common attack tools and tactics, and found it came up short in a number of areas.
First, it found the Android app lacks functionality to prevent malware reading and stealing sensitive user info.
“Attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements,” Promon continued. “The app is [also] not resilient against code being injected while the app is running, allowing hijacking the app from the inside, by the use of basic and widely spread tools.”
In addition, there are no protections against the app being used in a hostile environment like a rooted device, and it can’t detect if an attacker is using debugging tools in runtime.
It doesn’t use obfuscation and is vulnerable to even basic spyware designed to harvest text entered into the app, the researchers explained.
That means it falls far short of OWASP best practices, exposing countless EU citizens who are using the application to apply to stay in the UK post-Brexit.
“At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers,” argued Promon CTO Tom Lysemose Hansen.
“As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave [the EU], it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”