Governments worldwide have released COVID-19 mobile apps to provide citizens with useful information and, in some cases, to track individuals in an effort to contain the coronavirus outbreak. Cybersecurity researchers have discovered that some of these apps are affected by vulnerabilities and privacy issues that put citizens at risk.
One of these is the Iranian government’s official COVID-19 application. Available since early March, it was designed to track citizens and harvest personal information, without providing information on the pandemic. Researchers also identified that an imposter app that mimics the government-issued tool is being distributed outside the relative security of the Google Play store, which is not generally accessible in Iran.
Another app that puts user privacy at risk is the official CoronApp-Colombia, which is meant to help individuals in Colombia track symptoms related to COVID-19. Available through Google Play, the app requests permissions to access location, read phone states, and read contacts. It is not malicious, but contains vulnerabilities, transmitting PHI and PII unencrypted via HTTP rather than HTTPS.